ML20087B026
| ML20087B026 | |
| Person / Time | |
|---|---|
| Site: | 05200003 |
| Issue date: | 04/30/1995 |
| From: | Hake T, Heger A NEW MEXICO, UNIV. OF, ALBUQUERQUE, NM, SANDIA NATIONAL LABORATORIES |
| To: | |
| Shared Package | |
| ML20087B013 | List: |
| References | |
| SAND92-1231, UC-940, NUDOCS 9508070278 | |
| Download: ML20087B026 (182) | |
Text
.
SANDIA REPORT SAND 92-1231 UC-940 Unlimited Release Printed April 1995 Aasessment of ALWR Passive Safety System R liability Phase 1: Methodology Development and Component Failure Quantification T nin M. Hake, A. Sharif Heger Preparud by Sanda National Laboratories Albuquerque, New Mexico 87185 and Uvormore, California 94550 for the United States Department of Energy under Contract DE-AC04-94AL85000 Approved for public release; distribution is unlimited.
4 i
t
~ _
a,,g m.
- l-;
F i
M ~ x%
'J b
- k. _h
- kf'p Y p ;g w
{g
,, i '
,)
'l j r
l.,
5 i
+
y, s
i h
II n
9508070278 950802 DR ADOCK 05200003 PDR
Issued by Sandia National Laboratories, operated for the United States Department of Energy by Sandia Corporation.
NOTICE: This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Govern-ment nor any agency thereof, nor any of their employees, nor any of their contractors, subcontractors, or their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, prod.
uct, or process disclosed, or represents that its use would not infringe pri-vately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government, any agency thereof or any of their contractors or subcontractors. The views and opinions expressed herein do not necessarily state or reflect those of the United States Govern-ment, any agency thereof or any of their coetractors.
Printed in the United States of America. %is report has been reproduced directly from the best available copy.
Available to DOE and DOE contractors from Office of Scientific and 'Ibchnical Information PO Box 62 Oak Ridge, TN 37831 Prices available from (615) 576-8401, FTS 626-8401 Available to the public from National 'Ibchnical Information Service US Department of Commerce 5285 Port Royal Rd Springfield, VA 22161 NTIS price codes Printed copy: A09 Microfiche copy: A01
.s I
4 i
SAND 92-1231 Distr,h H erg Unlimited Re1 ease CategaryIE-940 Printed April 1995 i
ASSESSMENT OF ALWR PASSIVE SAFETY SYSTEM RELIABILITY PHASE 1: METHODOLOGY DEVELOPf!ENT AND COMPONENT FAILURE QUANTIFICATION
.i 1
i t
l i
Sandia N ion boratories Reactor Systems Safety Analysis Department 5
Albuquerque, NM 87185 A. Sharif Heger University of New Mexico Albuquerque, NM 87131 Abstract Many advanced light water reactor (AIER) concepts proposed for the next j
generation of nuclear power plants rely on passive systems to perform safety functions, rather than active systems as in current reactor designs.
These passive systems depend to a great. extent on physical processes such as natural j
c1rculation for their driving force, and not on active components, such as pumps.
An NRC-sponsored study was begun at Sandia National Laboratories to develop and implement a methodology for evaluating ALWR passive system reliability in the context of probabilistic risk assessment (PRA). This report documents the first
{
of three phases of this study, including methodology development, system-level qualitative analysis, and sequence-level component failure quantification.
j The methodology developed addresses both the component (e.g. valve) failure aspect of passive system failure, and uncertainties in system success criteria l
arising from uncertainties in the system's underlying physical processes.
(
Traditional PRA methods, such as fault and event tree modeling, are applied to j
the component failure aspect. Thermal-hydraulic calculations are incorporated l
into a formal expert judgment process to address uncertainties in selected natural processes and success criteria.
The first phase of the program has emphasized the component failure element of passive system reliability, rather than the natural process uncertainties.
l Although cursory evaluation of the natural processes has been performed as part of Phase 1, detailed assessment of these processes will take place during Phases 2 and 3 of the program.
l l
l l
l I
ACKNOWLEDGEMENTS The authors gratefully acknowledge the technical and programmatic guidance provided by Allen L. Camp of Sandia National Laboratories (SNL). The authors are also indebted to Arthur C. Payne, Jr., of SNL for his valuable technical advice, and to Donnie W.
Whitehead of SNL for his patient assistance with the IRRAS computer code, among other areas.
We further wish to thank Arthur J.
Buslik of the U.S.
Nuclear Regulatoqr Commission for his direction and guidance as Project Monitor throughout Phase 1 of the program.
Finally, we appreciate the information provided by Westinghouse regarding their Advanced Passive 600 MWe reactor (AP600) design. The AP600 serves as the example advanced light water reactor design for which we are demonstrating the passive system reliability methodology developed under this program.
iv
~
r i
t l
NOTE REGARDING DISTRIBUTION OF PROPRIETARY APPENDICES This document describes Phase 1 of an NRC-sponsored program at Sandia Nr.tional j
1 L-boratories to develop and demonstrate a method for evaluating the reliability of passive safety systems in advanced reactors.
Phase 1 of the program was completed in June 1992 i
Bscause the Westinghouse AP600 was used as an example ALWR design for l
l d:monstration of the passive system reliability method, the Phase 1 analyses j
incorporated design informatio" proprietary to Westinghouse. This information i
hts been collected in proprietary appendices in a separate volume, which is to receive limited distribution. This report, without the proprietary appendices, does not contain any proprietary information.
It should be emphasized, however, that the AP600 design information used for this report represents a version of the design at the time of analysis (July 1991).
There have been many design changes since then. This document should therefore not be used as a resource for information regarding the current AP600 design.
1 I
l I
v/vi l
TABLE OF CONTENTS ACRONYMS AND INITIALISMS xiii
' EXECUTIVE
SUMMARY
S-1 1 INTRODUCTION........
1-1 1.1 Obiective 1-2 1.2 Scope 1-3 1.3 Approach.
1-3 1.3.1 Phase 1: Methodology Development and Component Failure Quantification 1-4 1.3.2 Phase 2: Demonstration of Natural Process Assessment Method 1-6 1.3.3 Phase 3:
Implementation of Passive System Reliability Method 1-6 2 METHODOLOGY DEVELOPMENT 2-1 2.1 Literature Survev/Backoround Information.
2-1 2.1.1 Advanced Reactors--Background 2-1 2.1.2 Literature Survey Results 2-3 2.2 Comprehensi e Methodolooy 2-9 2.2.1 STEP 1: System-Level Qualitative Analysis
. 2-11 2.2.2 STEP 2: Sequence-Level Component Failure Quantification 2-16 2.2.3 STEP 3: Sensitivity Calculations to Evaluate Success Criteria Importance 2-17 2.2.4 STEP 4: Natural Process Assessment 2-19 2.2.5 STEP 5: Calculation of Overall CDF and Comparison to Current Plant 2-20 3 COMPONENT FAILURE QUANTIFICATION 3-1 3.1 AP600 Desion Summarv.
3-1 3.1.1 Phase 1 Representative AP600 Design 3-1 3.1.2 General AP600 Plant Description 3-2 3.2 System-Level Oualitative Analysig 3-3 3.2.1 Systems Included in Qualitative Analysis.
3-9 3.2.2 Screening Trees
.......... 3-10 3.2.3 Screening Data Values for Component Failures 3-21 3.2.4 Results of Component Screening Calculations 3-23 3.2.5 Natural Process Discussion.
3-24 3.2.6 System-Level Screening Analysis Conclusions 3-35 3.3 Systems Analysis 3-37 3.3.1 Fault Tree Development 3-38 3.3.2 General Fault Tree Modeling Assumptions 3-41 3.3.3 System, Component, and Event Identifiers 3-43 3.3.4 Individual Fault Tree Descriptions 3-45 3.4 Event Tree Develooment 3-64 3.4.1 Event Tree Analysis Scope 3-64 3.4.2 Event Tree Structure 3-65 vii
TABLE OF CONTENTS, Continued 3-66 3.5 Data. DeDendent Failure. and Human Reliability Analyses
................. 3-67 3.5.1 Database Development 3-68 3.5.2 Dependent Failure Analysis 3-72 3.5.3 Initiating Event Frequencies.
3.5.4 Human Reliability Analysis 3-75 3.5.5 Special Data Issues 3-78 3.6 Base Case Ouantification and Sensitivity Calculations 3-97 3-97 3.6.1 Base Case Calculations.
3.6.2 Sensitivity Calculations.
3-100 3.7 Miscellaneous Post-Secuence-Level Calculation Issues.
3-115 3-115 3.7.1 Water Recirculation Model 3.7.2 Additional Information on Low-Differential-Pressure Check Valve Operation.
3-115 3.7.3 Application of New Recommended Valve Failure Data 3-116 3.7.4 Depressurization System Importance 3-117 4-1 4 RESULTS AND CONCLUSIONS OF PHASE 1....
4.1 Results of the System-Level Qualitative Analysis.
4-1 4.2 Results of Sequence-Level Component Failure Analysis.......
4-2 4.3 Recommendations for Phases 2 and 3 4-5 5 REFERENCES 5-1 Appendix J.
Pertinent Document Listing From October 1990 Literature Survey PROPRIETARY APPENDICES in Separate Volume (Limited Distribution)
Appendix P1: Systems Analysis Appendix P2: Fault Trees Appendix P3: Event Tree Analysis Appendix P4: Data Analysis Appendix P5: Base-Case Importance Calculation Results Appendix P6:
Success Criteria Sensitivity Calculations viii
j LIST OF FIGURES Figure E-1.
Simplified Overview of ALWR Passive System Reliability Evaluation Method.
S-2 Figure 2.2-1.
Simplified Overview of ALWR Passive System Reliability Evaluation Method.
2-10 Figure 2.2-2. High-Level Tree for Passive, Semi-Passive, or Inherent Emergency Cooling Systems 2-13 Figure 3.1-1. AP600 Reactor Coolant Loop (Westinghouse Drawing) 3-4 Figure 3.1-2. Passive Residual Heat Removal System Simplified Schematic (Based on Westinghouse Drawing) 3-5 Figure 3.1-3. Passive Safety Injection Systems Simplified Schematic (Based on Westinghouse Drawing) 3-6 Figure 3.1-4. AP600 Passive Safety Injection During LOCA Initiation (Westinghouse Drawing) 3-7 Figure 3.1-5. AP600 Passive Safety Injection After a LOCA (Westinghouse Drawing) 3-8 Figure 3.2-1. Core Makeup Tank Screening Tree 3-14 j
Figure 3.2-2. Accumulator Screening Tree 3-15 Figure 3.2-3. Passive Residual Heat Removal Screening Tree 3-16 Figure 3.2-4. Gravity Injection From In-Containment Refueling Water Storage Tank (IRWST) Screening Tree.
3-17 Figure 3.2-5. Containment Recirculation and Sump Injection Screening Tree 3-16 Figure 3.2-6. Internal Containment Spray System Screening Tree
. 3-19 Figure 3.2-7. External Containment Cooling Screening Tree.
3-20 r
Figure 3.3-1. Accumulator System Simplified Drawing.
3-47 Figure 3.3-2. AC Power System Simplified Drawing 3-48 Figure 3.3-3. Core Makeup Tank System Simplified Drawing (Non-Proprietary Version) 3-50 Figure 3.3-4. DC Power System Simplified Drawing (Typical of 4)
..... 3-51 Figure 3.3-5. Depressurization System Simplified Drawing 3-53 ix
4
-t
~
t I
LIST OF FIGURES, Continued I
- Figure 3.3-6. External Containment Cooling Injection System Simplified Drawing.
3-55
}
Figure 3.3-7. In-Containment Refueling Water Storage Tank (IRWST) Injection Simplified Drawing ' (Non-Proprietary Version).
. 3-56 i
Figure 3.3-8. Normal Residual Heat Removal System Cimplified Drawing 3-59 l
)
Figure 3.3-9.
Passive Residual Heat Removal System Simplified Drawing.
3-60
[
Figure 3.3-10. Startup Feedwater System Simplified Drawing 3-61 Figure 3.3-11. Sump Injection Simplified Drawing (Non-Proprietary l
Version) 3-63 t
Figure 3.6-1. Base Case Cumulative Distribution.
3-106 6
Figure 4.2-1.
Case 1 Success Criteria Sensitivity Results 4-4 i
I Figure 4.2-2. Case 2 Success Criteria Sensitivity Results.
4-5 i
{
Figure 4.2-3. Case 3 Success Criteria Sensitivity Results.
4-6 a
i h
1 r
i X
,.-.., ~
.._,._...u.,.._..-..__.._,,,
.-.......,m___.
,_...-,..m_,.-_,_,_.,-.,._,,-...
i i
LIST OF TABLES Table 2.1-1.
Examples of Passive, Semi-Passive, or Inherent Features Included in Advanced Reactor Designs 2-2 Table 2.1-2.
Examples of Passive or Inherent Feature Characteristics Requiring Alternative Representational Methods 2-7 Table 3.2-1. Valve Failure Screening Values 3-22 Table 3.2-2. Natural Processes Involved in AP600 Semi-Passive Safety Feature Operation 3-25 Table 3.2-3. Natural Process Parameters / Areas of Uncertainty 3-26 Table 3.2-4.
Coupling of Natural Processes 3-28 i
Table 3.3-1. Systems Analysis Summary.
3-39 Table 3.5-2.
Beta Factor Summary 3-70 Table 3.5-3. Simplified Expressions for Multiple Component Common Cause Failure Events (Non-Proprietary Version) 3-72 Table 3.5-4. Comparison of Westinghouse AP600 and NUREG-4550 Initiator Frequencies.
3-74 i
Table 3.5-1.
Summary Data Table, Non-Proprietary Version 3-83 Table 3.6-1. Base Case Point Estimate Results.
3-107 Table 3.6-2. Latin Hypercube Uncertainty Results for Base Case.
(Emergency Cooling Function Only, Full Correlation Applied) 3-107 Table 3.6-3. Base Case Emergency Cooling Function CDFs for Less Conservative Success Criteria Assumptions.
3-108 Table 3.6-4. Comparison of More Restrictive Success Criteria Sensitivity Calculations Relative to Base Case 3-109 Table 3.6-5.
Sensitivity Calculations for Within-System Variations in Success Criteria 3-110 Table 3.6-6.
Sensitivity Calculations for PRHR Cross-System Variations in Success Criteria 3-111 Table 3.6-7.
Sensitivity Calculations for CMT/ACC Cross-System variations in Success Criteria.
3-112 Table 3.6-8.
Sensitivity Calculations for IRT Cross-System Variations in Success Criteria 3-113 xi
LIST OF TABLES, Continued Table 3.6-9.
Sensitivity calculations for Individual System Importance 3-114 3 117 Table 3.7-1.
New AOV and MOV Failure Data Table 3.7-2.
Results of Applying New Data to Base-Case Models 3-118 1
i i
xii
K
-~
t i
ACRONYMS AND INITIALISMS ACC accumulator i
ACP.
AC power. system ADS automatic depressurization system 1
ALWR
. advanced light water reactor ADV-air-operated valve i
AP600 Westinghouse Advanced Passive 600 MWe reactor APET accident progression event tree ATWS anticipated transient without SCRAM CCF common cause failure CCWS component cooling water system CDF corei 'amage frequency i
CI cor". Anment isolation i
CKV check valve CMT core makeup tank i
CNT containment CSAU code scaling, applicability, and uncertainty evaluation methodology
-l
~ CSS (and CSP) internal containment spray system i
CST condensate storage tank
{
CVCS chemical and volume control-system j
l DCP DC power system DEP depressurization syst'em i
DST.
deaerator water storage tank DVI-
. direct vessel injection (line)
]
ECC external containment cooling system
- i ECC/DHR emergency core cooling / decay. heat removal EPRI Electric Power Research~ Institute i
EXTCC external containment heat removal and water spray (system screening i
analysis)
FRAC Failure Rate Analysis Code FTRO failure to remain open HEP human error probability HRA human reliability analysis HX heat exchanger INEL Idaho National Engineering Laboratory ZPRDS.
In-Plant Reliability Data System IREP Interim Reliability Evaluation Program IRRAS Integrated Reliability and Risk Analysis System i
-IRT in-containment refueling water' storage tank injection IRWST in-containment refueling water storage tank IRWSTIN in-containment refueling water storage tank injection (system screening analysis) xiii
-.. ~
ACRONYMS AND INITIALISMS, continued LLOCA large loss-of-coolant accident LMR liquid metal reactor LOCA loss-of-coolant accident LOSP loss of offsite power LWR light water reactor MDP motor-driven pump MFW main feedwater system MHTGR Modular High-Temperature Gas-Cooled Reactor MLOCA medium loss-of-coolant accident MOV motor-operated valve NRC Nuclear Regulatory Commission NRHR normal residual heat removal system PCCWST passive containment cooling water storage tank PDR AP600 Plant Description Report, Revision 0, January 1989 PIUS Process-Inherent Ultimately Safe PRA probabilistic risk assessment PRHR passive residual heat removal system PRISM Power Reactor Inherently Safe Module PTS pressurized thermal shock PWR pressurized water reactor RCP reactor coolant pump RCS reactor coolant system RESMP containment recirculation / sump injection (system screening analysis)
RPT reactor coolant pump trip SAFR Sodium Advanced Fast Reactor SBWR Simplified Boiling Water Reactor SFC spent fuel cooling system
)
SFW startup feedwater system SG steam generator SGI steam generator isolation SGTR steam generator tube rupture SLOCA small loss-of-coolant accident SMP sump injection system SMTBR smart break LOCA SNL Sandia National Laboratories TWMF transient with main feedwater TWOMF transient without main feedwater WRC water recirculation system xiv
EXECUTIVE
SUMMARY
Many of the advanced light water reactor (ALWR) concepts proposed for the nexc generation of nuclear power plants rely on passive or semi-passive systems to perform safety functions, rather than active systems as in current reactor designs. Passive systems are employed in place of redundant active systems in an effort to simplify the plant, and at the same time improve reliability and safety.
In replacing the active safety systems with less redundant passive systems, the assertion is that the overall safety of the plant is enhanced due to the much higher expected reliability of the passive systems.
These pascive systems rely to a great extent on physical processes like natural circulation, and do not contain generally less reliable active components, such as pumps. A reduced dependency on support systems, such as AC electric power, results.
I l
This report documents the first of three phases of a Nuclear Regulatory Commission-sponsored study to develop and implement a method for evaluating the reliability of passive safety systems in ALURs, in the context of probabilistic risk assessment (PRA).
The three phases are:
(1) methodology development and sequence-level component failure quantification, (2) natural process assessment methodology demonstration, and (3) passive system reliability method 1
implementation. The overall program goal is to compare passive safety feature reliability with that of current plant active safety systems, with consideration of such unique aspects of passive system operation as natural process uncertainties. This goal will be realized at the end of Phase 3.
j The Westinghouse Advanced Passive 600 KWe reactor (AP600) will serve as an example of ALVR design for this study.
The availability of AP600 design information, and the extensive use of " passive" safety systems in the AP600 design, led to its selection as an example design. The AP600 is a 4x2 (four cold leg, two hot leg) pressurized water reactor (PWR).
The comparison between current and advanced reactor designs will be on the functional level, with the i
functions of interest being the emergency cooling and decay heat removal functions.
The project began with a thorough literature survey of passive reliability and advanced reactor safety.
Then the methodology was developed, with a goal of maximizing the use of existing PRA technology, such as NUREG-1150 methods. The method includes approaches for screening and prioritizing system failures and ultimately addressing uncertainties in passive system reliability.
The uncertainties to be addressed include those associated with natural processes, such as natural circulation and gravity driven flows. A simplified overview of the methodology developed is presented in Figure E-1.
The system-level qualitative analysis determined the systems with the greatest potential to be influenced by natural process uncertainties (i.e.,
those with very low failure rates due to component failures, combined with natural processes thought to be uncertain).
This screening study applied lower-bound values for component failure rates to give an estimate of the lowest expected contribution of component failures to overall system failure. Then the natural processes and uncertainties for each passive system were identified, and judgement applied to determine the expected importance of the process uncertainties to system failure.
S-1
Figure E-1. Simplified overview of ALWR passive l
system reliability evaluation method
(
STEP 1 3
System-level qualitative p % Q,y7,f analysis to identify output g,,,and e tw potentially important uncenainties
( process uncertaintiesj
(
STEP 2 3
F"
- P8'
- In-depth sequence-level
$*L*,g9,,Y,qYe component fallure output
(
quantification using wnsidering wmpon asures m'Y (NUREG-1150 methodsj
(
STEP 3 3
Sensitivity calculations
,, g g Q Cd*da using Step 2 models to output inen,,,,in functional, xm evaluate nuccess criteria tanure-basedcwfrom to 2 (uncertaintyimportancej NI
[ Selection of systemsh f
and parameters for N
Qn-depth assessmeny I
__ A V
_E.
STEP 4 h
M Assess contribution to of% o gy, ouam s.
mean CDF from natural output naturatprocess unceasinties
\\
!p process uncertainties 4
M
(-
J
=
=
(
STEP 5 3
Combine results from omrasfunctio+spece w (wnsidering componentfaRures eateps 2 and 4.,
wtput a naturalprocess unoensinties);
compare to current-wmparison to werentplant Q
generation plant j tunction-specnic cw s-2
The systems appearing to be most important according to the screening are those essociated with external containment cooling, and natural circulation in the reactor coolant system and containment interior.
It should be noted that this ccreening study was applied to an older version of the AP600 design.
External containment cooling, for example, is not considered a necessary part of the success criteria for the newer design version.
In addition to the system-level screening analysis, accident sequences were quantified, considering only the emergency cooling and decay heat removal functions (i.e., reactor trip was assumed to always occur).
Here, NUREG-1150 tethods were generally applied.
Fault and event tree models of the AP600 were developed for a newer (July 1991) AP600 design version.
Event trees were constructed for internal initiators (transients and loss-of-coolant accidents) only, occurring during full power operation.
Low power and shutdown modes of operation are outside the scope of the current study. The analysis was carried out to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after reactor trip. No operator recovery analysis was performed.
Additionally, control and actuation systems were not handled in a detailed canner, so that the results of this analysis do not reflect the differences between the AP600's design of these systems, with their greater dependence on computer software, and those of a current plant.
A data analysis was then performed, including basic common-cause and human reliability analyses.
This analysis used realistic failure data, rather than lower-bound values as in the qualitative screening study. Component data from current generic sources were primarily applied, because of the use of current-technology components in the AP600 design.
A few data-related issues arose, including the question of check valve reliability at low differential pressures, AP600 non-safety grade equipment which is classified safety grade in current plants, and testability of valves in certain systems. For the check valve issue, current generic values and distributions were applied based on judgement regarding the processes affecting reliability of the valves, and importance calculations showing a lesser significance of the valve failure events in the j
context of the sequence analysis. For the safety /non-safety grade issue, a few distinctions were made versus the generic data, principally with regard to diesel generator events.
This sequence-level analysis resulted in an estimated mean core damage frequency (CDF) for the emergency cooling and decay heat removal functions of 3.5E-6/yr and 5th and 95th percentile values of 5.9E-7 and 1.lE-5, respectively. This compares with a previously reported Westinghouse value of 1.2SE-6/yr in a preliminary enalysis (1989), which was based on an earlier version of the AP600 design. The dominant initiator was predicted to be a small IDCA (69%) with the most dominant failures involving operator failure to properly align the Normal Residual Heat Removal System. It should be emphasized that these results are based on a design current as of July 1991; changes to the design have occurred to date which could substantially affect these results. Additionally, this report should not be used as a resource for " current" AP600 design information.
After the initial sequence-level calculations were completed, several issues were identified for further investigation. The first involved a probable conservatism in the actuation model for one of the AP600 systems, the Water Recirculation System.
Because of the importance of the system's actuation event to the S-3
l l
l i
l l
results, the model was rework.ed to treat the actuation more realistically. This resulted in a 42% decrease in the point-estimate CDF. Another issue examined was the sensitivity of the results to newly available, recommended valve failure rate data, and to the currently uncertain test interval for the depressurization system (DEP).
The new data were applied, and the test interval for the DEP i
system valves was varied over the range from one to twenty-four months, resulting in a point-estimate CDF a factor of 10 to 67 higher than the original CDF.
The core damage frequency stated above does not include natural process
)
uncertainties.
Sensitivity studies were performed to determine those systems that would ha*ve the greatest impact on the core damage frequency if the natural process failed to provide adequate driving force for the system, and the system success criteria were incorrect.
Based on these sensitivity studies, those systems determined to be most important are Passive Residual Heat Removal, Core Make-up Tank inj ection, and In-containment Refueling Water Storage Tank injection / recirculation.
The method for explicitly addressing the natural process uncertainties in these key systems will be demonstrated in Phase 2.
Thermal-hydraulic calculations will be incorporated into a formal expert judgment process to address uncertainties in selected natural processes and success criteria.
i l
l l
S-4
'l l
1 INTRODUCTION Many of the advanced light water reactor (ALVR) concepts proposed for the next generation of nuclear power plants rely on passive systems to perform safety 8
I I
functions, rather than active systems as in current reactor designs.
Passive systems are employed in place of redundant active systems in an effort to simplify the plant, and at the same time improve reliability and safety.
Improved economics and plant availability are sought through design simplification, including simplified maintenance, operation, and construction.
In addition, the reduced complexity of safety system design is expected to I
promote public acceptance of the advanced concepts by making the safety of the
}
plant more " transparent" or understandable.
In replacing the active safety systems with less redundant passive systems, the assertion is that the overall safety of the plant is enhanced due to the much higher expected reliability of the passive systems. These passive systems rely to a great extent on physical processes like natural circulation, and do not contain generally less reliable active components, such as pumps.
A reduced dependency on support systems, such as AC electric power, results.
It is of interest, then, to assess the reliability of passive systems in ALVR designs to determine the level of safety associated with such systems, as compared to active safety features in current plants.
Probabilistic risk assessment (PRA) is a widely used tool for quantitatively evaluating the safety of current reactor designs.
This study aims to quantify passive system reliability in the context of PRA. Although many of the aspects of current PRA methods are directly applicable to ALVR designs, features unique to passive
'The terms " passive" and " inherent" as applied to safety features have been assigned many different meanings in the literature. A brief discussion of the use of these terms in this report is needed.
Three terms can be defined which best describe the types of features which are included in advanced reactor concepts.
" Semi-passive" refers to systems which rely heavily on " natural processes" such as natural convection or evaporative
\\
cooling, rather than decidedly " active" components such as pumps. These systems may, however, require actuation signals or energy sources to start and operate, e.g. for valves to change state. Passive features may be defined in the same way ca semi-passive systems, but without the need for activation signals and energy to perform their intended function in response to an accident. An example is an cccumulator system which is actuated when the primary system pressure drops below the accumulator pressure, and check valves change state.
Inherent features result in the elimination of a hazard by the choice of material and design, relying on natural laws to a more complete extent than passive features [1].
Examples of inherent features are reactivity feedbacks and the elimination of bottom penetrations on the reactor vessel.
The distinction among these three terms is not always clear when attempting to assign a term to a given system, but this is not of primary importance when analyzing the system. For the analysis of the ALWR systems in this study, we are primarily interested in passive and semi-passive safety systems.
With a few exceptions, this report makes no distinction between the passive and semi-passive terminology both are referred to as passive systems.
l 1-1
systems require new evaluation approaches. A primary consideration here is how to address uncertainty associated with the heavy reliance on natural processes for passive system operation.
This report documents the first of three phases of a Nuclear Regulatory Commission-sponsored study. The purpose of the study is to develop and implement a method for evaluating the reliability of passive safety systems in advanced light water reactors.
1.1 Obiective The objective of this study is to compare the reliability of passive safety systems in an ALWR with the reliability of corresponding active safety systems in a current generation reactor.
The quantification of passive system reliability is not as straightforward as for active systems, due to the lack of operating experience, and to the greater uncertainty in the governing physical phenomena.
Thus, the adequacy of current methods for evaluating system reliability must be assessed, and alternatives proposed if necessary.
The evaluation of passive system reliability will take place in the framework of PRA, so that the final results can be compared in a direct way to measures (e.g. core damage frequency) of current plant safety.
As discussed in Section 1.3, the study is divided into three phases:
(1) methodology development and component failure quantification, (2) natural process assessment methodology demonstration, and (3) passive system reliability method implementation.
This report describes the results of the first phase.
The objectives of the first phase include development of a comprehensive methodology for passive system reliability assessment, and as one of the first steps in the method, quantitative component failure evaluation. The overall program goal of comparing passive and active safety feature reliability, with consideration of such unique aspects of passive system operation as natural process uncertainties, will be realized at the end of Phase 3.
The Westinghouse Advanced Passive 600 MWe reactor (AP600) will serve as an example of ALVR design for this study.
The availability of AP600 design information, and the extensive use of " passive" safety systems in the AP600 design, led to its selection as an example design. The AP600 is a 4x2 (four cold leg, two hot leg) pressurized water reactor (PWR) design.
Section 3.1 of this report provides a brief description of the AP600 and its passive safety features.
It should be emphasized, however, that the AP600 design information contained in this report represents the best understanding of the design at the time of analysis (July 1991). Because the AP600 is under development, there have been numerous design changes since then. This document should therefore not be used as a resource for " current" AP600 design information.
Factors to be considered when selecting a current-generation plant to be compared to the AP600 are availability of previous systemic or functional reliability assessments, and similarity in some respect to the AP600.
The current plant selected for this study is Surry Unit 1, a 788-MWe three-loop Westinghouse PWR.
Surry Unit 1 was analyzed as part of the recent NUREG-1150 [2,3] analyses. Thus, extensive PRA information is available for this plant.
1-2
)
i 1.2 Scope The comparison between current and advanced reactor designs will be on the functional level, rather than on a system-by-system basis, because it is not g:nerally possible to identify a single system in the ALWR design which directly esrresponds to a single system in a current plant.
Rather, a collection of eystems in the advanced reactor performs the same function as a usually larger collection of systems in a current plant.
The functions of interest for this study are the emergency cooling and decay heat rcmoval functions, conditional on reactivity control following an accident initiating event.
In other words, reactivity control systems will not be cnalyzed, but will be assumed to be 100% reliable. Analyzing reactivity control in addition to entergency core cooling / decay heat removal (ECC/DHR) would introduce a great deal of complexity without much added benefit for demonstrating the methodology. The ECC/DHR functions cover systems required to inject coolant as well as remove decay heat from the primary system and containment following cn initiating event.
These functions include an adequate variety of passive systems in the AP600 on which to base development and demonstration of the 1
E thodology.
The performance of the ECC/DHR functions will be evaluated for response to a typical set of PRA internal initiating events:
transients and loss-of-coolant cccidents (LOCAs). This will allow direct comparison to the response of current rsactor systems to these initiators. The issue of identifying potentially new initiating events for the AP600 is being addressed in a separate, related NRC-cponsored analysis.
1.3 Acoroach Three phases form the approach to this study of passive system reliability: (1) mthodolo6Y development and component failure quantification, (2) natural process casessment methodology demonstration, and (3) passive system reliability method i plementation. These three phases are discussed in the following subsections.
As mentioned above, the purpose of this report is to document the results of the first phase.
The passive safety systems to be analyzed in this study depend upon natural processes such as natural circulation to perform their function, rather than on co-called " active" components such as pumps. However, these systems do contain eschanical components, valves in particular, that must change state for the system to operate. Cenerally these valves will have to change state only once during their mission, and motive power is in the form of stored energy such as compressed air or battery power.
Pcst reactor Level 13 FRA methods are directly applicable for the component failure aspect of passive system modeling.
On the other hand, accounting for uncertainty in the natural processes involved in passive system operation
' Level 1 refers to assessment of core damage frequency, in contrast to Levels 2 and 3 involving accident progression and consequence analyses.
1-3
requires an alternate approach.
This is essentially an uncertainty in the sr.ccess' criteria for the passive systems. Specifically, given proper component functioning (valves open or close as required), a measure is needed of the degree of certainty that the natural process (natural circulation, gravity-induced flow, evaporative coolin5, etc.) provides the fluid driving force or heat removal required to avert core damage.
This uncertainty derives to some degree from i
uncertainty in parameters associated with the process of interest, such as heat transfer coefficients or friction factors.
Further considerations include initial or " boundary" conditions such as break location for a loss-of-coolant initiating event, and thermal-hydraulic modeling uncertainties.
?
The method developed in Phase 1 involves splitting the problem into two parts:
(la) the aspects that current PRA techniques can directly address (component failure quantification), and (1b) aspects for which a new technique is needed (natural process assessment). The natural process assessment portion involves an interim demonstration phase, where the method is applied to a small portion of the problem to verify its merit and identify any problems (Phase 2).
Upon successful completion of the Phase 2 demonstration, Phase 3 will involve fall l
method implementation for the AP600 emergency cooling and decay heat removal f
functions.
1.3.1 Phase 1: Methodology Development and Component Failure Quantification As discussed briefly above, aspects unique to passive system operation point to j
possible shortcomings in applying current safety evaluation methods, such as PRA, j
to these systems.
Sections 2.1 and 2.2 present further discussion of these shortcomings. A methodology which addresses analysis of these unique aspects is therefore needed.
A literature survey forms the starting point of the methodology development task, to identify any potentially useful methods which have been proposed or applied for analyzing advanced reactors Based on information from this literature search, and considering the types of systems to be analyzed, a method for evaluating passive system reliability must be developed.
The method should maximize use of existing PRA technology (e.g. NUREG-1150 methods [2)) to enhance l
efficiency.
The methodology developed for this study is described in more detail in Section 2.2.
Figure 2.2-1 in that section provides an overview of the method. It begins with examining the types of passive systems to be analyzed, and identifyin'g the natural processes on which they depend for their operation. These processes may include alternative motive fluid forces such as gravity or gas-pressure, or heat transfer processes such as natural convection.
Next, one investigates the components, such as valves or tanks, within each passive system.
A screening comparison is made between the contribution to system failure from failure of its components, and the expected importance of the natural processes to passive system operation.
In other words, if the components which must function for a passive system to operate have a high failure probability, then any uncertainty in their natural processes will likely be less important to overall system failure.
In this way, a rough prioritization of passive systems is developed based on natural process importance. This prioritization will aid in identifying those systems for which analysis of their natural processes is most prudent. A 1-4
prioritization is needed because of the resource-intensive nature of natural process assessment, described below under Section 1.3.2.
The next stage of Phase 1 involves in-depth analysis of component failures.
NUREG-1150 PRA methods [2,4) are used here. Event trees delineate the emergency cooling or decay heat removal systems that can be used in response to an accident initiator.
For the AP600 this includes credit not only for the passive safety systems but also for the active non-safety systems.
Fault tree models are constructed to represent component failures for the systems of interest. Failure data from past PRAs and existing databases are generally applicable due to similarities in components included in the AP600 design and in current operating units. There are a few exceptions which result from differences in areas such as component usage or system safety classification (i.e. safety versus non-safety grade).
Once fault and event tree models have been built and the database developed, sensitivity calculations are performed with various success criteria assumptions.
For the different success criteria, a core damage frequency (CDF) is calculated for each of the initiators considered in the analysis. This CDF represents only the ECC/DHR functions and does not, as discussed above under Section 1,2, include modeling of the reactivity control function.
Nonetheless, these calculations provide a measure of the importance of the various passive systems to overall plant safety. This information will aid in the prioritization of sequences to be analyzed in later phases of the program, where natural process uncertainties are considered.
To summarize, the following tasks form Phase 1 of this program:
- 1) Literature Survey
- 2) Methodology Development
- 3) System-level Qualitative Analysis
- 4) Event Tree Development
- 5) Fault Tree Development
- 6) Data Analysis
- 7) Quantification/ Sensitivity Calculations The literature survey provides information on past approaches for advanced reactor safety analysis, to aid in methodology development for this study. The system-level qualitative analysis provides a qualitative measure of the expected importance of natural process uncertainties to passive system failure likelihood.
Event tree, fault tree, and database development allow modeling of the mechanical component failure aspect of passive system evaluation using NUREG-1150 PRA nethods.
The quantification/ sensitivity calculations, along with the system-level screening, provide information for selection of sequences / systems for natural process assessment in the next two phases of the program. When combined with the results of the next two phases, the calculations in task 7 will provide an overall measure of the ECC/DHR functional failure probability. This quantity will be compared to the similar quantity for s current-generation light water reactor at the completion of Phase 3.
1-5
l l
1.3.2 Phase 2:
Demonstration of Natural Process Assessment Method The second phase of the program will examine the feasibility of the natural process assessment methodology developed in Phase 1.
This methodology will be applied to only a few accident sequences in Phase 2, to demonstrate the method.
Such a demonstration is needed because the approach for natural process assessment is resource-intensive. Upon successful demonstration, a comprehensive implementation of the methodology will be completed in Phase 3.
Section 2.2 briefly describes the natural process assessment method; a more detailed and complete description is deferred until the next NUREG/CR report documenting results of Phase 2.
Basically, the method involves evaluating the contribution to mean ECC/DHR functional CDF from uncertainties associated with the natural processes involved i
i in passive system operation. These uncertainties can be related to parameters, l
such as heat transfer coefficients or IDCA break location, which influence the effectiveness of the process. Distributions on important input parameters are obtained, primarily through a formal expert judgement process. Thermal-hydraulic models of the ALWR are constructed and multiple code calculations performed corresponding to values sampled from the input parameter distributions. These results as well as other uncertainties, such as those associated with the thermal-hydraulic model, are incorporated in an output distribution on the contribution of natural process uncertainties to overall sequence outcome.
For demonstration purposes during Phase 2, natural process assessment will be restricted to a few sequences involving core-cooling-related (not containment heat removal) passive systems. Complete evaluation of the core cooling systems will require modeling of the containment heat removal systems because the core and containment heat removal processes are coupled for the AP600. This complete evaluation will be performed during Phase 3 of the program.
1.3.3 Phase 3:
Implementation of Passive System Reliability Method For Phase 3, the natural process assessment method described in Section 2.2 will be applied to a larger number of sequences.
The sequences will be selected according to the criteria mentioned above. Containment heat removal systems will be modeled in addition to the core cooling systems to which they are coupled.
The product of Phase 3 will be a complete distribution of the ECC/DHR functional failure probability, considering component failures and natural process uncertainties in both core and containment heat removal processes.
The result can be compared with the similar quantities for the current-generation reactor design.
1-6
2 METHODOLOGY DEVELOPMENT The purpose of this section is to describe the initial steps in Phase 1 of the program.
These steps include performance of a literature survey to identify relevant work in the area of advanced reactor saiety analysis, and development cf a comprehensive methodology for evaluation of passive system reliability in cn ALWR, First, a discussion is presented of the more relevant advanced reactor cafety information found in the literature survey.
The methodology to be implemented in this study is characterized next, drawing upon some of the background information presented in the literature survey description.
2.1 Literature Survev/Backeround Information A literature survey was performed in October 1990 to identify relevant documents pertaining to advanced reactor safety analysis.
This survey included a computerized database search using such key-words as Passive / Inherent / Intrinsic Safety; Advanced Reactor with Safety / Test / Reliability / Risk; and Passive System (s). Indexes and tables of contents of pertinent journals and proceedings were also reviewed for recent years to identify related work.
The primary objective was to identify items in the following categories:
j A. Passive System Reliability B. Passive System Testing C. Advanced Reactor Thermal Hydraulic Analyses
)
D. AP600 Safety Analyses E. Other Advanced Reactor Safety Analyses F. General Advanced Reactor and Passive System Safety G. General Reliability Methods A partial listing of the more pertinent documents in these categories obtained cs part of the literature survey is provided in Appendix A.
Each of these areas i
is discussed in turn in Section 2.1.2.
2.1.1 Advanced Reactors-Background j
In this subsection, some of the passive and inherent features of advanced reactors are presented, to supply background information for discussion of cdvanced reactor safety analysis approaches found in the literature survey. This eaction will not provide design descriptions of the various advanced concepts; numerous documents in the literature pcovide such information. References [5]
cnd [6), for example, provide overviews of some of the more prominent advanced cnd evolutionary reactor designs.
Section 3.1 of this report provides a brief dascription of the AP600 reactor design to be analyzed in this study.
i Rsactor concepts proposed for the next generation of nuclear power plants can be j
cctegorized by the terms " evolutionary" and " advanced." The evolutionary light 1
w ter reactor (LVR) concepts are similar to currently operating plants of recent dasign, but with added features based on operating experience and safety considerations. They are all greater than 1200 MWe in size. These designs have i
not replaced existing active safety systems with passive ones, as have the "cdvanced" LVRs, but have built upon the existing systems. [7]
2-1
i l
Advanced reactors.can be divided into two groups: LWR and non-LWR, Gas-cooled designs such as the Modular High-Temperature Gas-Cooled Reactor (MHTGR) and liquid metal cooled reactors such as Sodium Advanced Fast Reactor (SAFR) are examples of the non-LWR class.
Of the advanced LWRs, designe such as the AP600 and Simplified Boiling Water Reactor (SBWR) are sometimes termed " evolutionary advanced LWRs," since they rely to a greater extent on current " proven" technology versus such concepts as the Process-Inherent Ultimately Safe (PIUS) designs [5].
Most of the advanced reactors are less than 600 MWe in size. They generally represent a move toward simplification and greater use of passive and inherent safety features, with a lesser dependency on support systems.
The smaller size of these designs in driven in part by the incorporation of passive or inherent features that involve, for example, natural circulation heat removal, a process which would be less adequate for the higher power level designs.
The passive-and inherent features found in these reactor designs serve a wide range of accident response functions, the main examples of which are reactivity control and core / containment heat removal. These features involve reliance in some way on what can be termed a " natural process" or " law of nature." Reference i
(1) provides an overview of passive and inherent features included in ALWR i
designs. Table 2.1-1 lists some examples of the types of features that can be considered passive, semi-passive, or inherent (please see discu.'sion of these three terms on page 1-1 of this report, footnote 1).
TABLE 2.1-1 EXAMPLES OF PASSIVE, SEMI-PASSIVE, OR INHERENT j
FEATURES INCLUDED IN ADVANCED REACTOR DESIGNS [1]
Accumulators (gas pressure-driven)
Makeup Tanks (gravity-driven flow)
Core / Containment Heat Removal Structures / Systems:
Natural Convection of Water, Air, Other Fluids Conduction Radiation Condensation Surfaces Evaporation Heat Pipes Heat Energy Absorber Systems (e.g. large mass of high heat capacity material)
Reboiler/ Condenser Pairs Density Locks (hydraulically balanced)
Fluidic Valves I
Reactivity Feedbsck Effects Gas Expansion Module for Reactivity Control (displaces coolant to allow neutron leakage)
Thermal Expansion-Actuated or Melt-Actuated Shutdown Systems d
2-2 i
.,..m.-.,_
..... _. ~.. _.. - -,. _...... _.... _. -...... -... _ _ _.. _...
2.1.2 Literattsre Survey Results This section presents some of the information found in each of the main areas of the literature survey (A through G), which took place in October 1990. Although come of this information might be considered dated in the rapidly evolving realm cf advanced reactor safety, it provides background for discussion of the methodology development of this study.
A. Passive System Reliability A prevailing assumption in namerous documents pertaining to advanced reactor cafety is that completely passive or inherent featares "always operate" when needed, or have a failure probability of zero. This assumption can be found in discussions of preliminary safety assessments for several reactor concepts. For cemi-passive systems, this is equivalent to assuming that, given successful operation of the mechanical components, the natural processes will always be cdequate to meet the mission success criteria. As is discussed in Section 3.2, this simplifying assumption may be valid when considering passive systems for which (1) mechanical component failure modes will likely dominate, or (2) little uncertainty exists in the natural processes. However, if these conditions are not met, the use of this assumption can result in an underestimation of the system unreliability. An analogous argument applies to the completely passive or inherent systems without mechanical components.
Uncertainties in the processes on which these systems rely must be considered, particularly for features which provide a major portion of front-line defense.
The remainder of this subsection discusses some of the special considerations for j
cnalyzing passive or inherent safety features, as identified by references found in the literature survey.
An obvious consideration is that the operation of passive or inherent systems can depend upon correct switching status, and an adequate supply of operating medium (e.g. a tank properly filled with water) [8).
This is the component failure element of passive system reliability.
For inherent and passive features, structural reliability becoises an important component of overall system reliability [9, 10]. Reference [11) argues that a structural failure would be the most likely cause of failure of an inherent safety feature.
Thus, an adequate assessment of the structural failure probability of " critical" structures in response to a variety of system challenges (with seismic initiators of special concern here [12)) is necessary.
This, according to reference (9),
requires a description of the probability distributions for both the load and the material strength.
In-service inspection becomes an important factor.
The question arises as to whether sufficient information in these areas would be available for adequate analysis of certain advanced reactor designs.
Rsference [11), in discussing the application of PRA to inherent features, speaks of two main areas to be considered.
The first, as discussed in the previous paragraph, is structural reliability.
The second arises from the observation that safety analyses which show that a passive or inherent feature will successfully operate in an accident are based on parameters and assumptions that ere subject to uncertainty. Therefore, a rethod for probabilistically evaluating system response must consider variation of these parameters and assumptions.
2-3
This observation was similarly made in reference [13). As discussed in the first paragraph of this subsection, the emphasis of this study is that natural process-uncertainties must be considered in the passive system reliability estimation.
Because the advanced reactors have replaced redundant active safety systems with fewer passive ones, reference (13] argues that the significance of common cause failures (CCFs) in the analysis is reduced.
However, a CCF of the sort where multiple passive systems fail as a result of a single physical parameter or process may arise in the advanced reactor designs.
These types of CCFs might have to be addressed by a somewhat different approach than those used in the past.
The generally lesser reliance on operator action in response to accidents for the various cdvanced reactor designs results in a very different consideration of human factors versus that for current generation designs.
The design of many advanced concepts to respond passively to accidents for days delays the need for operator involvement, and simplifies the human reliability analysis due to fewer required operator actions. However, this additional time for operator response may increase the likelihood and importance of errors of commission, where, for example, misinterpretation of the accident may result in the operator interrupting properly functioning passive systems. Errors of commission have not been well-treated in past PRAs due to complexity of the problem and the assumption that they were not significant to risk.
Because of a general plant simplification in the advanced designs, the complexity of the analysis of errors of commission may be reduced. [14]
B. Reliability Data and Passive System Testing With respect to advanced reactor reliability data, which will be sparse in areas due to lack of operating experience, numerous references speak of drawing upon data which exists for comparable components. These comparable components may be in current-generation plants, or may be advanced reactor components for which more extensive test data exists. Reference [15] describes a data base and data analysis center for advanced reactors (CREDO - Centralized Reliability Data Organization) which collects and analyzes test data from various testing facilities.
The use of current reactor data will be easier for the " advanced evolutionary" light water reactors which draw upon existing technology, using many of the same components found in current plants.
In general, though, the data specific to advanced reactors will by nature be limited, and does not adequately address the influence of physical processes.
C. Advanced Reactor Thermal-Hydraulics Several NRC-sponsored programs in the area of thermal-hydraulic analysis for advanced reactors are being performed. For example, Idaho National Engineering Laboratory (INEL) has done some assessment work of thermal-hydraulic codes to be used for analyzing the AP600 and the SBWR.
INEL is currently performing RELAPS analyses of the AP600 design.
Such work is of particular interest for Phase 2 of this study, during which extensive thermal-hydraulic modeling of the AP600 will take place.
Of course, numerous thermal-hydraulic analyses of the AP600 have been performed by Westinghouse during the development of the design.
An example of such an analysis is given in reference [16).
2-4
..-~ ~.~ --
D. AP-600 Safety Analyses in addition to performing thermal-hydraulic analyses, Westinghouse has incorporated PRA into the AP600 design process. An initial PRA of the AP600 was band on the Pressurized Water Reactor Individual Plant Evaluation Methodology
( Irli2).
This involved evaluating response to internally initiated events:
small, medium, and large IDCAs, transients. with and without main feedwater, steam generator tube rupture, loss of offsite power, and anticipated transient without scram. [17) Subsequently, more detailed FRAs of the design have been performed as well. The component failure analysis portion of this study (Section 3) uses assumptions and general design information from some of the Westinghouse analyses.
E. Other Advanced Reactor Safety Analyses The reactor concepts which were included in the DOE Advanced Liquid Metal Reactor (IRB) program, SAFR and Power Reactor Inherently Safe Module (PRISM), underwent relatively < detailed safety analyses.
Reference [18) describes in general a Level-3 analysis performed for SAFR.
In the analysis, "phenomenological event trees" were used in place of the separate systemic event trees in typical Level j
1 PRAs, linking accident types with plant damage states.
This was possible, according to [18), because of the independence of the SAFR safety features from 1
electric power, active control, and' active service and support systems. These trees include high-level questions such as inherent shutdown, energetics level, initial vessel structural response, early vessel failure, in-vessel core debris coolability, and late vessel structural response.
The results of the SAFR PRA indicate that the dominant contributor to core melt frequency, latent risk, total latent cancer and population dose is the protected (successful reactor shutdown) loss of heat sink accident (loss of shutdown heat removal) with late head failure, energetic core collapse, and vessel melt-through. The total core melt frequency was reported as less than 1E-5/ reactor-year, and the risk of acute fatalities was found to be 6.3E-17/ reactor-year. For the PRISM PRA, societal risk was dominated by loss of shutdown heat removal, but for individual risk, failures of the reactor shutdown and flow coastdown systems are important.
The PRISM PRA reported a core melt frequency of less than lE-5/ reactor-year as well, with the risk of acute fatalities at 5.0E-ll/ reactor-year.
It was stated that the PRISM risk, when further analyzed, is expected to be dominated by structural failures and other severe accidents with a very low probability of occurrence. Neither the SAFR nor PRISM PRAs treated uncertainties explicitly. [19)
A risk assessment of the MHTGR found that the high reliance on passive and inherent safety features resulted in a risk, although low, dependent largely on passive component failure. The sequences of highest risk resulted from failure of the primary pressure boundary causing leakage of primary coolant. Operator actions were found to have a minimal contribution to risk. Longer response times increased the probability of successful actions, and inadvertent actions (errors of commission) were seen not to have a significant effect on consequences. [20)
One of the most interesting analyses of passive safety is discussed in reference
[21). In an analysis of the probability of inherent shutdown in advanced IMRs, 2-5
i a probability distribution of maximum temperatures for key reactor structural parts is found by propagating uncertainties and variations in operations through accident analysis codes and models. They then define the failure probability for inherent shutdown as the fractional area of this distribution that exceeds specified safety limit temperatures.
The uncertainty in the safety limits themselves were not treated explicitly because of lack of data.
In any case, this analysis method enabled consideration of uncertainties and limitations in the modeling; variations due to manufacturing, construction, and operating tolerances; and uncertainties in conditions (e.g. temperatures). This approach--
obtaining a distribution on an inherent process using computer codes to perform multiple calculations with varying input parameters--is similar to what is proposed for Phases 2 and 3 of this study.
With regard to the important question of completeness in PRA, reference [14]
discusses the need for a systematic way to identify new initiators important for the advanced designs. The consideration of external events is discussed in [22),
where participants in the DOE Advanced Reactor Severe Accident Program (ARSAP) have performed a preliminary qualitative screening of the external events listed in NUREG/CR-2300 (PRA Procedures Guide). The paper concludes that only internal fire, internal flooding, seismic activity, and certain contributors to loss of off-site power (extreme winds, tornadoes, lightning and forest fires) require further quantitative evaluation in the PRA of advanced PWRs. Another study (23]
raises concern about susceptibility of certain advanced designs to sabotage (particularly the MHTGR and PRISM designs). Current regulations do not require inclusion of sabotage in a PRA.
Re ference [22] states that sabotage and terrorism should be not be considered quantitatively, but should rather be i
handled qualitatively in the analysis that supports development of the security plan.
Also pertaining to completeness in an advanced reactor PRA, reference [14]
asserts the importance of consideration of modes of operation other than full power in the analysis. This has not been traditionally handled in PRAs, although it is now being examined for several current-generation reactors. The results of these studies should provide insights as to the areas of importance of low power and shutdown risk for ALURs.
Westinghouse has performed a preliminary evaluation of shutdown risk for the AP600 as part of their PRA work.
F. General Advanced Reactor and Passive System Safety This category of reference material refers to more general advanced reactor safety information, such as implications of passive or inherent safety features to overall safety.
Applications of passive safety in other areas such as the chemical industry and fusion reactor designs have been noted and some techniques used or planned for safety analysis in these areas were identified. See Appendix A for the listing of references under this heading.
Specific information regarding handling of passive component assessment in these areas was generally lacking in this category, however.
G. General Reliability Methods The objective in searching for documents under this category was to identify alternative reliability assessment approaches which may be applicable to the 1
2-6
~
. ~.
l natural process assessment component of passive system reliability evaluation.
^
As motivation for this search, Table 2.1-2 lists possible aspects of advanced reactor passive or inherent processes which make it difficult to apply existing PRA methods. Some of these, such as physical processes / parameters and structural i
reliability considerations, have been identified and discussed in the previous portions of Section 2.1.2.
TABLE 2.1-2 EXAMPLES OF PASSIVE OR INHERENT FEATURE CHARACTERISTICS REQUIRING ALTERNATIVE REPRESENTATIONAL METHODS I
(a) Time dependencies (b) Failure influenced by physical processes or continuously varying parameters (c) A need to address " degrees" of failure or degrees of effect of failure (d) Process influenced by the net effect of multiple phenomena acting to some extent in parallel (good examples are reactivity effects)
(e) Feedback relationships (f) Cyclic or semi-cyclic phenomena (g) Structural integrity as a major contributor to failure (h) The need to handle uncertainty in the above areas j
Several alternative representational methods have been identified which address some of the characteristics listed in Table 2.1-2.
Thes-methods are now discussed in a general manner.
Phenomenolonical Event Trees.
When examining the types of natural processes involved in passive system operation, one can make the observation that these processes are comparable to the types of issues analyzed in an accident progression analysis (Level 2 PRA).
Examples of Level 2 processes are direct containment heating, hydrogen burns, core melt progression, etc.
Analysis of these processes can involve such resource-intensive activities as detailed computer modeling and expert opinion elicitation.
Reference [2), Section A.3 provides a good overview of the approach to the eccident progression analysis used in NUREG-1150.
Here, large accident progression event trees (APETs) are constructed to identify, chronologically order, and probabilistically quantify the important events and associated parameters in the progression of a severe accident. Determining values for the events involves the use of experimental data, accident simulation computer codes, structural analyses, and where necessary, expert opinion.
For NUREG-1150, uncertainty was incorporated for selected parameters.
Referring to Table 2.1-2, features of the APET model address some of the unique characteristics of passive system natural processes. The chronological ordering addresses to some extent items (a) and (f) in Table 2.1-1.
The multiple branch point structure of the APET allows items (b) and (c) to be handled in a discretized manner.
Structural reliability is modeled explicitly on the APET, and uncertainty can be propagated through the analysis.
Markovian. Semi-Markovian Modeline and State Transition Analyses.
Many methods have been proposed and applied relating to Markovian modeling and State 2-7
Transition Analysis, in order to take into account time-dependence, system interactions, process variables, etc. Such methods may be useful in the modeling t
of natural processes, in that they address some of the more important characteristics identified in Table 2.1-2:
time dependence and failure influenced by physical parameters. For example, reference [24) discusses how the equivalence between some event trees and semi-markovian processes can be used to represent time-dependency with event trees. Discretized State Space methods can address both time dependence and physical process modeling.
The drawback of these methods lies in their complexity; references cite the use of computer programs to handle other than trivial analyses. The merit of these approaches to a given problem will have to be assessed relative to the effort involved and the quality of the results as compared to alternative methods.
GO-FLOW Methodolorv. The GO-FIDW method for system reliability modeling is a modification of the GO method developed for the analysis of nuclear weapon systems. A GO FLOW chart ccrresponds to the physical layout of the system and l
contains "all possible system operational states" [25). " Signals" representing physical quantities or information connect various operators which describe l
interactions or logical operations. Time-dependency is handled in a discretized
}
manner, and the method can be applied to, for example, a phased mission problem j
or time-dependent unavailability modeling. The method can be used in place of fault tree modeling.
This method addresses item (a), and possibly items (b),
(d), (e), and (f) in Table 2.1-2.
Although a trial application of this method to a natural process assessment problem was not performed, it appears that the method is better suited to modeling systems with active components and a distinct
" physical layout."
NUREG/CR-1507 Methods. This reference proposes two methods for. representing phenomenological uncertainties, to be used as supplements to event tree modeling
[26).
The first method is simply a categorization of phenomenological uncertainties in terms of their magnitude and impact on accident outcome. This is intended as an intermediate step to identify research priorities, and has potential application for this study in the area of prioritization of issues for l
expert elicitation.
The second method is an alternative diagrammatical representation of the interaction between closely-coupled phenomena.
This approach addresses to some extent items (b), (d), (e), and (f) in Table 2.1-2.
l The method is generally suited to handling parallel positive and negative effects, such as for modeling reactivity control phenomena.
Problems exist in the area of assigning probabilities to node points in the diagram and applying the method globally or to entire accident sequences.
As such, this method is recommended for consideration for modeling the reactivity control safety function, but does not appear to be very useful for modeling passive systems serving the emergency cooling or decay heat removal functions.
Time Phased Fault Tree Analysis.
Space reactor concepts frequently incorporate passive systems and, as with advanced reactors, suffer from a lack of operating data from which to assess system reliability.
Reference [27]
discusses a fault tree analysis of a space reactor residual heat removal concept which employs passive cooling. Here, a time phased fault tree analysis was used to represent three distinct time regimes in the accident sequence. This method j
I offers some consideration of time dependency without unmanageable complexity.
2-8
+
mp-y----,--m-my---.-we,+
,-ft* -r---
-+r i-e-i-&or-w,wemmy-ww-y'g sv
-y+
y,g-wm--
my
=-y>
m
Its direct compatibility with the " standard" fault tree modeling approach is t
f cnother advantage.
CSAU Methodoloev. Reference [28] describes a methodology used to quantify the uncertainty associated with complex phenomena:
the Code
- Scaling, Applicability, and Uncertainty Evaluation Methodology (CSAU).
The method cddresses questions associated with (1) code capability to scale-up processes from a test facility to a full-size nuclear power plant, (2) code applicability to specific accident scenarios for a given plant design, and (3) quantification of the uncertainty with which the code calculates important parameters. Because codes will be used in the natural process assessment for this study, the CSAU rethodology may be useful in answering item (h) of Table 2.1-2.
Structural Reliability.
References [9] and [11) discuss the potential importance of structural reliability to inherent feature reliability (see discussion in this section under Passive System Reliability, above).
For this study, structural reliability may be of lesser importance since seismic initiators are not being considered, and no accident pregression modeling will take place (i.e. modeling beyond onset of core damage).
For studies in which structural reliability is considered more important, the approach to representing structural failure will depend, as expected, on the desired level of modeling detail within resource constraints.
The necessity to handle uncertainty in various variables, such as material properties, must be assessed. One reference
[29] describes a method which couples Monte Carlo and boundary element methods.
The claim is that the method treats all or part of the variables, including geometry, material properties, and boundary conditions, as random variables and yields a statistical description of the influence of the load on the structure.
As is described briefly in the next section, the natural process assessment portion of the passive system reliability method will likely involve the use of phenomenological event trees. The trees will provide a probabilistic structure with which to represent results of the multiple thermal-hydraulic code calculations and expert-generated distributions. The CSAU methodology may also be employed to some extent in order to quantify code uncertainty.
2.2 Comprehensive Methodology This section describes a method developed to meet the objective for this study of comparing the emergency cooling / decay heat removal functional reliability for the AP600 to that for Surry Unit 1.
Figure 2.2-1 presents a simplified overview of the method. The specific steps to be performed are outlined below. Existing methods and screening techniques are proposed where possible to efficiently attack the problem.
The method which has been developed should be generally applicable to any advanced reactor concept's passive or inherent features, although this has not been investigated in depth.
The need for a new methodology to assess passive system reliability has been centioned throughout Section 1 of this report, and is discussed in Section 2.1.2.
Basically, the distinguishing festure of passive systems versus the active systems incorporated in current p. ants is the passive systems' heavy reliance on natural processes for their operation. These processes provide the driving force for the system to perform its function, and include, for example, natural 2-9 l
l
Figure 2.2-1. Simplified overview of ALWR passive system reliability evaluation method i
[gg,y,g j
(
STEP 1 3
System-level qualitative g
analysis to identify output proonsses andassociated potentiallyimportant urwtainties
( process uncertaintlesj U
(
STEP 2 3
mponentfa$ure N
- ,,que '""ch output
(
quantification using com ntraanse (NUREG-1150 methodsj
(
STEP 3 3
Sensitivity calculations
,% y g g using Step 2 models to output increasein functions, component evaluate success criteria tanure-basedcytrom step 2 (uncertainty lmportancej y
[ Selection of systemsh W
m m
m and parameters for
~
W Qn-depth assessmeny
_ I_
k V
I STEP 4 h
f Assess contribution to meYa Cytrom contnbution mean CDF from natural output naturatprocess uncertainties
.y process uncertainties S
\\
h_A_.._.. 2
=
(
STEP 5 3
- N Combine results from werartcuetiowe cm (oposidering componenttaRures gteps g ag 4,,
output
\\ a naturdprocess uncertenties);
compare to current-comparison a currentplant
(
generation plant )
Wn-specrep 2-10
c::nvection, evaporative cooling, and gravity-or gas pressure-induced flow. This difference raises the question of whether traditional PRA techniques, such as those applied in NUREG-1150 [2), are adequate for modeling passive systems. On the other hand, the fact that passive systems incorporate components, such as valves, illustrates a similarity among passive and active systems. In addition, a PRA model (event tree) of an entire safety function for an advanced reactor will likely include not only front-line passive safety systems, but also " backup" cetive systems. Therefore, current techniques might be applied to the component failure aspect of passive systems, and to the complete modeling of the active bickup systems.
The method proposed for this study, as stated above, is based partially on proven, existing PRA methods, as applied in NUREG-1150. The method also includes en approach for quantitatively handling uncertainties in the natural processes involved in the passive system operation, which can be translated into mission success criteria uncertainties.
Because the approach for natural process essessment is relatively resource-intensive, two prioritization or screening steps are incorporated, one at the system level and one at the sequence level.
As indicated in Figure 2.2-1, the methodology developed for this program can be divided into five steps:
(1) System-level qualitative analysis to identify systems with potentially important natural process uncertainties, i
(2) In-depth sequence-level component failure quantification using NUREG-i 1150 Level 1 methods, (3) Sensitivity calculations to evaluate importance of success criteria uncertainties, (4) Assessment of contribution to mean core damage frequency from uncertainties associated with the natural processes involved, and (5) Combination of results from the sequence-level component failure analysis and natural process assessment.
Phase 1 of the study includes Steps 1, 2,
and 3 (see Figure 2.2-1).
The demonstration of Step 4 constitutes Phase 2, and Phase 3 is defined as full implementation of Steps 4 and 5.
The remainder of this section presents a more detailed discussion of each of these steps.
2.2.1 STEP 1: System-Level Qualitative Analysis The purpose of the system-level qualitative evaluation is to gain a better understanding of the passive systems to be analyzed, and the natural processes upon which they rely for their driving force.
In addition, we seek a rough prioritization of passive systems, based in large part on the expected importance of process uncertainties to system failure.
This amounts to a preliminary screening of systems for which detailed natural process assessment (Step 4 of the asthod) will be applied.
This prioritization is necessary because of the resource-intensive nature of natural process assessment.
The premise of the system-level screening is that natural process uncertainties are less important for systems which have a high component failure probability.
For example, if one considers a pumped active inj ection system, a small uncertainty in the flow resistance downstream of the pump is less likely to 2-11
influence system failure than the relatively high failure likelihood for the pump.
The mean failure probability for a gravity-driven passive inj ection l
system, on the other hand, would be much more sensitive to uncertainties in parameters affecting the gravity flow; the overall system failure probability is much lower because fewer component failures contribute to system failure, and process uncertainty is no longer "in the noise."
Of course, also to be considered is the margin designed into the. system, e.g.,
whether the output capability of the a pump is large enough to ensure adequate flow regardless of small variations in flow resistance downstream. For a passive system without active components like pumps, the determination of whether adequate margin exists is at the crux of this study.
Step 4 of this method (natural process assessment) provides quantitative consideration of this issue.
It is handled in only a superficial qualitative manner in Step 1.
In order to evaluate whether natural process uncertainties may be important for a given system, a lower bound estimate for the component failure probability of a system is determined. A lower bound gives an indication for where, minimally, an influence of the natural process uncertainty may be felt.
The natural processes involved in the system's operation are identified, and examined in a qualitative manner to assess the expected influence of their uncertainty.
Systems are then prioritized based on three considerations:
from least to greatest component failure lower-bound estimate, from greatest to least expected influence of natural processes, and from greatest to least expected importance of the system to accident mitigation.
The latter consideration is more rigorously handled in the sequence-level sensitivity analyses at the end of general way in the system-level Phase 1, but it should be considered in a screening. This system-level analysis is now described in more detail.
Sten (la) Screening Fault Tree The approach to the screening analysis for each passive system involves constructing " screening fault trees," where the " component" failures are depicted with appropriate failure logic, and the natural processes involved in the system's operation are listed separately.
Component failures are defined here to include hardware failures for which data exists, including active (e.g. air-operated valve) failures and some traditionally termed " passive" (e.g. check valve or tank rupture) failures. For each of the natural processes involved in a system's operation, parameters or areas of uncertainty associated with the process are identified.
Figure 2.2-2 presents a general screening tree for a passive system in an advanced, water-cooled reactor.
The figure is in two parts.
Page 1 of the figure includes the types of component failures, with tabular "0R" contributions for each component, which might contribute to passive system failure.
These contributions are of the sort typically modeled in a current-generation reactor
]
PRA, and were identified by examining the NUREG-1150 methodology document [4],
l and the modular fault tree analysis procedures guide [30).
It should be noted j
that air dampers have not been listed, but could be included in passive gas or j
air cooling systems incorporated in some advanced water-cooled designs.
)
2-12 j
l l
Figure 2.2-2. High-Ixvel Tree for Passive, Semi-Passive, and Inherent Emergency Cooling Systems Failure of Passive, Semi-Passive, or Inherent Emergency Cooling System l,--_
l 1
Heat Fuchanrvs Tanks l
Pging Nw Errors of Natural l
Diversions en==iasian Processes l
i i
Tabular OR I
i l
Iscal Pauk (Rupture l - Pipe Rupture p.2 l
-Nw Blocked
-Iscal Pauk or Blockage) j - Flow Blockage
-Test / Maine==nce
-Test / Mame-ance l
l
-Mainamance Pmor
-Maintenarn Ence e
i
-support
-support:
- Hest Removal Pressurie 1
-Heaters (Boric Acid, Electric w
A Power) w I
4 Valves I
r MOV Pneumatic /
Solesad Safety / Relief Mariaal Hydrauhc i
i i
i Tabular OR -
Tabular OR Tabular OR Tabular OR Tabular OR Tabular OR
-Imcel Paults
-Iacal Paults
-Iocal Paults
-Iacal Paults
-Iacal Paults Imcel Paults
-Operator Ener
-Operator Pmor
-Operator Error
- Operator Ener Test / Maint.
-Test / Maint.
-Operator Pmor
-Test / Maint.
-Test / Maint.
-Test / Maint.
Test / Maint.
I
- support
-support 3,,,,;,,
. p,
- , f
- support
-support
-Ei ctncal Power I
- Control Hydraulic Hydraulic
,m
- A'**ia"
. Control
-Control 9
4 4
d mm
__..______.___,___mmm_.
m..m..m u m
____,_.m____.____.____m__._m_
mm___,m_---
,-w-.,.~...,,-..m%
,w we3.-m,y-.,,,,,m w,
,_w,
b I
i Figure 2.2-2, Cont. High-Ievel Tree for Passive, Semi-Passive, and Inherent hey cy Cnaling Systems Page 2: Natural Processes t
j Natural Processes l
)
P.2 4
I I
1 Heat her Coolant injareinn l
I 1
l 1
I I
I I
I I
I Nennet Ewepormive Heat Radiant Wicking D usky Orevky-One-Presume M
Coohag/
Ph Heat (Heat Mpes)
"Incks" Assissed Indmoed i
(Air, Weser) rande===esa=
1hasfer Row How 2
.e
.Q%
. Design /Famar
- Qh
-6
-6
-6
-DesigsfCuest.
l Ernas I!rrors Erroes Errors Errors Errors Emers Ihrers j
InManar ImManne Im Manar ram = mar
-Temupesuture
-Plow
-laidssor naManne Effecss Bifeas Effeas Effects Differential Resisemmes B5scas HEsces I
-Row
-Spreading
-Tempermane
-Serface Tcamp
-Wick
-Strucseral
-Pausure
-Ptessee Material. -
Insegrity ESeas MBeas Ph or PIwea==rma Differemdat or m
p p-Teamperemme
-Air /Weser
-Heat Pool
-Saucessel
-successel Differensist Quality / Temp PM of
-OmqfAir
-1hasfer Imeegrky)
Imengsky Imengdry
-Streaurat
-sirecount Desindade ineckage) asockage)
, t serraummags c-. " - -
Isserisce (now (now Immegsky 1sengrky
-strocaust
-smecenet 1
(Tenk, imeegrky meegrky
-sm.aerei Serface)
(rama-ary)
(Blockage, beegrity of 3erface Ame)
PipetSepport j
h s
4 I
The dashed line in the figure surrounding Piping, Flow Diversions, Errors of Commission, and Natural Processes is meant to indicate that in some cases it may ba more appropriate to consider these items as closely related to natural process uncertainties.
For example, a flow diversion may occur, not because of valve cisalignment, but because parameters associated with a natural process such as natural circulation were out of design specification; flow resistance in a cortain piping segment may be greater than as-designed, causing diversion through c different segment. Errors of commission are a complex modeling prospect that cre probably best excluded from the system-level screening.
Pege 2 of Figure 2.2-2 lists some possible natural processes and associated uncertain parameters or effects, to be considered. The processes involved have b2en classified into two main categories: Heat Transfer and Coolant Injection.
Under these categories are the specific processes which might be involved, such es natural convection, radiant heat transfer, and gravity-assisted flow. Then, for each of the specific processes, uncertainties or parameters which could influence the passive system's ability to perform its intended function are listed.
These considerations generally do not lend themselves to fault tree codeling because of characteristics such as time-dependence or the influence of continuously-varying physical parameters. This was discussed to some extent in Ssetion 2.1.2.
The tree presented in Figure 2.2-2 is expected to be applicable to both core and containment cooling systems (involving injection or heat transfer) in advanced water-cooled reactors.
A similar tree might be developed for systems serving other reactor safety functions, such as reactivity control, with the same overall structure and component-versus-natural-process categorization.
The structure of the component failure portion of the screening tree should be such that any proper combination of basic events (according to tree logic) will alone cause system failure.
For example, valve failures preventing flow in a semi-passive system's only injection line would be enough to fail the system, irrespective of natural process influences.
Once the component events are represented on the tree, lower-bound estimates for their failure probabilities are assigned based on available data.
This estimate may be some factor of reduction of the median or mean value reported, related for example to the error factor assigned to the reported value.
Component failure mechanisms for which adequate data does not exist or would be difficult to obtain should not be included. This is the " conservative" approach to determining the lower bound for the component failure portion of the tree.
Other items for which significant effort may be required to assess their contribution, such as flow diversions or errors of commission, should be excluded as well.
Combining the event values eccording to the appropriate logic, an overall lower bound value is determined for the component failure contribution to system failure.
Steo (1b) Natural Process Oualitative Evaluation The uncertainties associated with the natural processes are then examined to dstermine if any can be excluded from further analysis based on low expected impact to system operation.
An example here is design or construction errors that would likely be uncovered in system testing before the plant enters commercial operation.
Further qualitative arguments about whether certain 2-15
natural process uncertainties are likely to influence system failure can then be made based on current-generation plant information, vendor analyses and tests, and analyst judgment.
Many of the parameters would require detailed thermal-hydraulic modeling to adequately ascertain their importance; these are left to later sensitivity analyses using thermal hydraulic models to be developed in subsequent stages (Phase 2) of the study.
Sten (1c) System Importance for Accident Mitication A final characteristic factored into the prioritization of systems and their natural processes is the expected importance of the system to accident mitigation. If, for example, a single system's failure to respond to an accident initiator implies core melt, this system would be assigned a higher priority versus one for which alternate systems can be used to provide the same function.
The sequence-level sensitivity analyses (Step 3) will accomplish this in a more systematic, quantitative manner, by performing importance calculations and evaluating the impact of differing success criteria assumptions to core damage frequency. However, some consideration of system importance can and should be factored into the prioritization of systems and natural process uncertainties in the system-level screening.
Section 3.2 describes the system-level screening performed for the emergency cooling / decay heat removal functions of the AP600.
2.2.2 STEP 2: Sequence-Level Component Failure Quantification The next step of Phase 1 involves in-depth analysis of component failures.
NUREG-1150 PRA methods [2,4) are used here.
Four distinct tasks are involved:
(1) Event tree development (2) Fault tres model development
+
(3) Data, common cause, and human reliability analysea (4) Quantification of core damage frequency for base case l
Event trees delineate the systems which can be used to fulfill a specific function (emergency cooling / decay heat removal for this analysis) in response to an accident initiator. For the AP600 this includes credit not only for passive safety systems but also active non-safety systems. A systemic accident sequence event tree for the AP600 is developed for each of the following LOCA and transient initiators:
Loss of Offsite Power; Transients With and Without Main Feedwater; Steam Generator Tube Rupture; Large, Medium, and Small LOCAs; These trees are conditional on successful reactor scram via control rod insertion or other means, such as borated fluid injection.
Section 3.4 describes the results of the event tree analysis task.
Fault tree models are constructed to represent component failures for the systems of interest, including any support system requirements.
In the event and fault 2-16
1 tree development, a " base-case" set of success criteria is assumed, based for example on preliminary vendor analyses. The fault trees developed for the AP600 b:se case include the following systems:
- Accumulators l
- Core Makeup Tanks
- In-containment Refueling Water Storage Tank
- Passive Residual Heat Removal
[
- Recirculation Cooling
- Depressurization i
- Containment Cooling
- Normal Residual Heat Removal
- Startup Feedwater
- DC and AC power support systems I
The fault tree analysis performed for the AP600 is described in Section 3.3.
A data analysis task is performed to identify appropriate values for use in the overall quantification of the event and fault tree models. These values are to b3 realistic, rather than lower-bound'as in Step 1 of the analysis. Failure data from past PRAs and existing databases are applied to the component failure basic events.
Current plant data are generally applicable due to similarities of ccmponents included in advanced reactor designs and in current operating units (particularly true for the AP600). There are some exceptions which result from differences in areas such as component usage or system safety classification (i.e.
safety versus non-safety grade).
Here, the current data can be j
supplement 3d with such items as vendor test data, the EPRI ALWR Requirements Document goals for component reliability, and expert opinion.
1 The data analysis task includes a common cause analysis as_well as pre-and post-initiator human reliability analyses (HRA).
For the HRA, numerous assumptions are generally necessary for an advanced design, because of lack of operating procedures and knowledge of specific plant operator practices.
Section 3.5 l
dascribes the data analysis efforts.
Once fault and event tree models have been built and the database developed, a
" base-case" quantification of functional core damage' frequency is performed.
Szction 3.6.1 discusses the results of this task.
For the AP600, this step results in an emergency cooling / decay heat removal functional CDF based on Wastinghouse-specified success criteria.
This forms a baseline for later j
comparison in Step 3.
In addition, the models and results of this task will be combined with the results from Step 4 (natural process assessment). The result j
will be an overall measure of passive cooling system reliability, considering both component failures and natural process uncertainties.
2.2.3 STEP 3: Sensitivity Calculations to Evaluate Success Criteria Importance i
A primary focus of this study is uncertainty in the natural processes governing j
passive. system operation.
This translates, as mentioned previously, to uncertainty in the success criteria for the various systems used in accident response. One can examine cases where the components of a passive system have functioned according to " base-case" system success criteria, e.g., the proper 2-17
. - -~
combination of valves have changed state. If inadequate flow or heat removal is realized due to uncertainties in the natural processes involved in the system's operation, then a more restrictive set of success criteria applies.
Say, for example, that in a natural circulation, passive heat removal system, one or two out of three heat exchangers are necessary according to base-case success criteria. However, a greater-than-expected flow loss coefficient may apply due to corrosive processes or other uncertainties in the natural circulation loop.
The flow in the loop may then be inadequate to remove core heat. Perhaps three of three heat exchangers are required in this case to generate a great enough temperature differential to provide the necessary fluid driving force.
To investigate the importance of potentially more restrictive success criteria, which may apply due to natural process uncertainties, the fault and event tree models from Step 2 are modified to reflect the more limiting criteria.
The point-estimate CDF is then requantified for each case to examine the change relative to the base-case CDF.
For this study, three different types of sensitivity calculations are investigated:
(1) within-system success criteria sensitivities (e.g., requiring two-of-two instead of one-of-two trains of a passive system);
(2) cross-system success criteria sensitivities (e.g.,
postulating that after success of one passive system, which normally leads directly to aversion of core damage for the base case, another system is required in order to avoid core damage); and (3) passive system risk increase importance (here, the passive system is assumad to fail, even if the system components function properly according to system success criteria).
The first and second groups deal with the effect of degraded passive system performance.
That is, the system operates at a level of effectiveness not adequate to prevent core damage alone, and requires either an additional train of the same system, or another system operating in concert, to avert core damage.
The third group addresses cases where the passive system components function according to base-case success criteria, but the natural processes are completely ineffective. The passive system is therefore failed, and the " backup" systems which can be used following system failure are added as branch points in the event tree.
In other words, the system's failure path in the event tree is followed.
These sensitivity calculations should consider correlations among
- systems, i.e., whether failure of one passive system due to natural process inadequacies implies failure of other passive systems possibly dependent upon the same natural process.
The results of these sensitivity analyses will provide guidance as to which passive systems are more important to core damage frequency, given different levels of degraded performance due to natural process uncertainties.
A quantitative prioritization can be constructed based on largest increase in CDF relative to the base case.
The likelihood of natural process " inadequacy" or l
" failure" is not quantitatively addressed until Step 4.
However, the results of Step 3,
together with the high-level understanding of the various natural processes developed in Step 1, are used to prioritize the passive systems and 2 18
cssociated natural processes to be analyzed in Step 4,
natural process essessment.
The sensitivity analyses performed for the AP600 are discussed in Section 3.6.2.
2.2.4 STEP 45 Natural Process Assessment In order to incorporate natural process uncertainties in the quantification of passive system reliability, selected accident sequences involving passive system operation are analyzed using thermal-hydraulic models.
Only sequences which indicate successful component functioning for the passive system (s) of interest will be analyzed.
That is, we are interested only in situations where the natural process uncertainties may negatively impact overall core damage frequency. Here, although the mechanical components have operated correctly to c_eet the assumed system success criteria, uncertainties in parameters such as heat transfer coefficients or as-built dimensions of components may result in inadequate flow or heat removal by the passive system (s). A more restrictive set of success criteria applies, with a particular degree of certainty.
The sequences to be analyzed are selected based on the results of Steps 1 and 3:
qualitative information on the expected importance of the natural process to passive system operation, and quantitative results of the component failure sensitivity calculations.
The sequence-level approach to the analysis is necessary because evaluation on the system level, i.e. one passive system at a time, would not consider the influence of other passive and active systems which operate (or fail) in the sequence.
Thus, each sequence potentially represents a unique set of conditions affecting t'n outcome of the thermal-hydraulic analyses, although some binning of similar sequences is possible.
First, thermal-hydraulic models of the ALWR are built. Sensitivity calculations are performed using the thermal-hydraulic code to determine the most important code input parameters, such as heat transfer or flow-loss coefficients.
- Next, expert elicitation is performed using the NUREG-1150 structured approach, to obtain distributions on values for the important input parameters.
Multiple thermal hydraulic code calculations are performed for a given sequence and the results analyzed to determine the contribution of the natural process uncertainties to overall sequence outcome. Output distributions are generated, end the results are finalized with input from the expert panel.
In this step, the experts will also be asked to provide measures of modeling uncertainties.
The distributions obtained can then be discretely represented using phenomenological-type event trees, similar to the accident progression event trees (APETs) utilized in Level 2 PRA analyses.
These are " appended" to the accident sequence event trees developed in Step 2, and sampled to provide an overall distribution for ECC/DHR functional core damage frequency in Step 5.
For Phase 2 of this study (method demonstration), Step 4 will be performed for a few sequences involving operation of AP600 passive systems associated with core cooling only, as opposed to including containment heat removal. The AP600's core and containment cooling systems are to a great extent coupled, and complete evaluaticn of the core cooling systems will require consideration of the containa.cnt systems.
However, modeling of these coupled processes will be a great deal more involved than modeling just the primary system.
This 2-19
comprehensive modeling is unnecessary for demonstration of the method.
Such a complete analysis is to be performed in Phase 3, the implementation phase, of the program.
2.2.5 STEP 5: Calculation of Overall CDF and Comparison to Current Plant In this step, completed after the Phase 3 implementation of Step 4, the results of Steps 2 and 4 are combined to provide an overall measure of the reliability of systems serving the emergency cooling and decay heat removal functions. The product of Step 5 is a complete distribution of the ECC/DHR functional core damage frequency, considering both component failure uncertainties and natural process uncertainties in both core and containment heat removal processes.
Alternatively, a functional failure probability can be found from the functional core damage frequency by removing the initiating event frequency contribution.
That is, the ECC/DHR functional failure probability is conditional on the initiating events considered.
In either case, the result can be compared with the similar quantities for the current-generation reactor design. The current plant quantities can be extracted from an existing PRA of the current-generation plant.
For this study, Surry Unit 1 will be used as an " example" current plant for comparison.
Surry is similar to the AP600 in that it is a Westinghouse pressurized water reactor.
Further, a detailed PRA exists for Surry, since it was analyzed as part of the NUREG-ll50 analyses [3].
2-20
3 COMPONENT FAILURE QUANTIFICATION This section describes the efforts for the system-level qualitative analysis and the quantification of the component failure contribution to emergency cooling and decay heat removal functional failure in the AP600.
The methodology for this portion of the project is described in Section 2.2.1.
This section begins with a brief overview of the AP600 design, and a discussion of the difficulty in analyzing an evolving design. The system-level screening analysis is discussed l
next. The steps for evaluating the component failure contribution to emergency I
cooling / decay heat removal functional failure are then described in turn in Sections 3.3 through 3.6:
Systems Analysis, Event Tree Development, Data Analysis, and Quantification and Sensitivity Calculations.
Because the success criteria applied in the base-case sequence-level quantification are based on Westinghouse information, which is proprietary, portions of Sections 3.3 through 3.6 are incorporated in a limited distribution set of appendices to this report. Certain design details are also proprietary, and information relating to these details is contained in the proprietary appendices as well.
The NRC-developed computer code IRRAS (Integrated Reliability and Risk Analysis System) [32), version 2.6, served as the primary tool for fault and event tree model development, and overall quantification and sensitivity calculations.
IRRAS produced the fault and event tree graphics included in this report (Appendices P2 and P4), as well as the sequence, importance, and uncertainty calculations discussed in Section 3.6.
(
3.1 AP600 Design Summary 3.1,1 Phase 1 Representative AP600 Design One of the difficulties of this study has been considering the evolving nature of the AP600 design. In typical current-plant PRAs, a " freeze" date is selected, after which any plant modifications are not considered. However, the results of the analysis remain generally applicable for some time, because plant modifications to an existing facility are usually not radical.
For conceptual dasigns, however, changes can involve the elimination or addition of systems, and significant modification to system capabilities.
These changes occur over a relatively short (a year or less) period of time. Obviously, these changes can greatly affect the results of a PRA.
For this study, a reasonable effort was made to incorporate the latest in design changes, so that the results of phase 1 will be more representative of actual AP600 capabilities.
The proprietary nature of much of the AP600 design information is a somewhat complicating factor in obtaining the latest information.
At the start of phase 1 in October 1990, the design information available to Sandia was that documented in the AP600 Plant Description Report (PDR), Revision 0, dated January 1989.
The system-level screening analysis described in Section 3.2, completed in March 1991, is based on this design version.
Additional information on design changes to the PDR design were obtained af ter the completion of the screening. However, with the exception of the Passive Residual Heat Removal system, changes to the passive safety systems 3-1
i were minimal, and did not appear to change the conclusions of the screening. The screening analysis was therefore not modified to reflect the changes.
t The more design dependent aspect of phase 1 of the study is the component failure r
quantification, involving fault / event tree modeling and data analysis, followed by base case and sensitivity calculations. These results change significantly with changes in the design. The fault and event tree models, developed using the l
PDR and the first set of design changes, were modified when additional design information was learned in July 1991.
The design analyzed in the component failure quantification portion of phase 1 can best be categorized as a hybrid of implemented and proposed AP600 design changes as of July 1991.
As one might expect, there have been several design changes since the analysis; this fact must be considered when viewing the results of this study.
The intent is to ultimately update the models during Phases 2 and 3 (see methodology description, Section 2.2) of the program.
3.1.2 General AP600 Plant Description i
This subsection presents an overview of the more pertinent aspects of the AP600 design.
More detailed system information is provided in the systems analysis section (3.3).
Information regarding the response of the various plant systems to accident initiators is included in Section 3.4, Event Tree Analysis.
The following description and figures are based on references [16), [31), [33), and l
the footnoted reference below^.
The design approach for the AP600, as for other ALWR concepts, involves l
simplification to improve economics, construction, maintenance, operation, and-safety.
Passive safety systems are employed which use natural driving forces only, and minimal dependence on support systems.
Active non-safety systems perform during normal plant operations, and also provide backup to the passive safety systems in response to accidents. These active systems are powered by two on-site, non-safety diesel generators if off-site power is lost.
The 600 MWe PWR incorporates a low power density core, and no bottom-head vessel penetrations.
The reactor coolant system contains two hot legs and four cold legs, with two standard Model "F" steam generators (SGs), four canned-motor reactor coolant pumps (RCPs), and a 1300-cubic-foot pressurizer. The RCPs are mounted integrally to the SGs, which eliminates the pump suction leg piping.
3 This reduces the overall piping length in the primary system and avoids the loop l
seal plugging prcblem found to occur for current PWRs following a small-break loss of coolant accident (LOCA).
Figure 3.1-1 (page 3-4) provides a depiction of the reactor coolant system (RCS).
The AP600 incorporates integrated, micro-processor-based instrumentation and control systems, and an advanced, human factors based control room. A four-stage automatic depressurization system is employed te allow the use of low-pressure passive inj ection systems, or " feed and bleed" cooling following an accident initiator.
Passive decay heat removal for response to transient initiators (after failure of normal, active systems) is provided by the passive residual heat removal
^"AP600 Plant Descriptions," Westinghouse Electric Corporation presentation to the Advisory Committee on Reactor Safeguards, June 6,1991.
3-2 l
(PRHR) system. Figure 3.1-2 (page 3-5) is a simplified schematic of the system, which incorporatos three heat exchangers housed in a large tank, the in-containment refueling water storage tank (IRWST). Natural circulation drives the fluid from the surge line of the pressurizer, through the heat exchangers, to the t
cold-leg side of the steam generator.
The heat exchangers are cooled by the fluid in the IRWST, also through a process of natural circulation within the l
tank.
Passive coolant injection following loss of coolant accidents is provided by a redundant arrangement of high-and low-pressure injection systems. These systems feed into the reactor vessel via two safety injection, or direct vessel injection 4
(DVI), lines. Figure 3.1-3 provides a depiction of the passive safety injection systems.
(Note:
there have been a few design changes not reflected on Figure 3.1-3 that have been incorporated in the systems analysis, Section 3.3.
Schematics representative of the systems analyzed accompany Section 3.3.)
The high pressure passive injection systems are the core makeup tanks (CMTs) and the accumulators (ACC).
The two CMTs are capable of injecting by gravity at any reactor pressure, because of pressure-equalization lines from the RCS cold legs to the top of the CMTs. Two accumulators, similar to current PWR accumulators, are maintained with a nitrogen overpressure of approximately 700 psi.
One CMT and one accumulator feed each DVI line.
For low pressure, longer term coolant inj ection, the automatic depressurization system (ADS) actuates to reduce RCS i
pressure to near-containment atmospheric. Then the IRWST can inject via gravity-induced flow through two redundant lines, one to each DVI line.
The passive containment cooling system, shown in Figure 3.1-4, provides heat removal to the ultimate heat sink (the air external to the containment structure) during use of the passive core cooling systems, and controls containment pressure. The containment is cooled by natural convection of air, as shown in Figure 3.1-4, and assisted by evaporative cooling of fluid sprayed onto the exterior surface of the steel containment vessel.
Following a LOCA, a recirculation of fluid is established from the RCS, out the break or the ADS valves, with condensation of steam on the inside containment shell.
The condensate drains via a system of weirs back to the IRUST for inj ection, or alternatively, to the containment sump.
If the sump fills with liquid above the level of the DVI lines, as shown in Figure 3.1-5, the fluid can
. reenter the RCS through two parallel sump injection lines. Fluid passes through sump screens and a system of valves to the DVI lines connected to the vessel.
This is again a gravity head-driven process.
3.2 System-Level Oualitative Analysis Task 3 of the Passive System Reliability Project involves a rough, system level qualitative analysis for the various AP600 passive systems serving the emergency cooling and decay heat removal functions. The methodology for this analysis is described in Section 2.2.1 (" Step 1"). As previously discussed, functioning of each of the AP600 passive systems involves natural processes, such as natural circulation and gravity-induced flow, as well as operation of components, such as valves. The objective of the system-level analysis is to examine the relative
{
(Text Continues on Page 3-9) 3-3
v ce v
g PROVEN DESIGN OVERSIZED (1300-ft')
PRESSURIZER FOR GREATER OPERATION MARGIN STANDARD MODI STEAM GENERAh V
D SURGE LINE (18-in. o.d.)
U EL N
HOT LEG PIPE COREU ERY I3I"I"" I'd'I
\\
N, CANT ED M dR PUMPS IMPROVE SAFETY AND RELIABILITY COLD LEG BENT PIPE (22 in. i.d.) MINIMl2ES
/
CHANNEL HEAD CONSTRUCTION AND
/
INSPECTION COST WITH PROVISION SAFETY FOR ROBOTIC INJECTION s
MAINTENANCE NOZZLE g
REA [br-LIFE lV R VESSEL (157 in. Ed.)
{v Copyright 1990 by the American Nuclear Society, La Grange Park, Illinois.
Figure 3.1-1. AP600 Reactor Coolant Loop. [31]
(Westinghouse Drawing) 3-4
i CONTAINMENT WALL i
IRWST (1 of 1)
W pg REFUEL p
..1...
CAVITY PRHR A
HX N
\\
/
V PRESSURIZER X
,9, FO W;
r
\\
5 J
P HL CL t/
RCP NRHRS:
EL REACTOR VESSEL Figure 3.1-2. Passive Residual Heat Removal System Simplified Schematic.
(Based on Westinghouse drawing from Westinghouse Electric Corporation presentation to the Advisory Committee on Reactor Safeguards, "AP600 Plant Descriptions," June 6,1991) 3-5
Figure 3.1-3. Pa:sive S;fety injection Systema Simplified Schematic.
(Based on Westinghouse drawing from Westinghouse Electric Corporation presentation to the Advisory Committee on Reactor Safeguards, "AP600 Plant Descriptions," June 6.1991) b CMT2-101 101 DEPRES FAI
@@g VALVES g
y
-~
R @l,-'
Xbl m
Y=7 4
n!O x
_ = = = - - - -
}
REFUEL CORE MAKEUP TANK (1 OF 2) p CAVITY IRWST i
y PRESSURIZER ( y j
SPARGERS ACCUM.
()
(10F 2)
SUMP SCREEN f-*
FO (1 OF 2)
L_
m NRHRS PUMPS CL i
f p
HL Y
=
NRHRS=
[ % [FO
~~
REACTOR VESSEL r
%, 6 CON
t CONTAINMENT COOLING HEATED AIR DISCHARGE
/
l PASSIVE CONTAINMENT COOLING SYSTEM E - STEAM WATER STORAGE TANK M WATER WITHIN THE RV CONTAINMENT COOLING
. @ WATER OUTSIDE THE RV I
/
n
/
\\
-a Minisii:V/
II
\\Naishin r.;-
w
//
\\
AIR BAFFLE p
\\
STEEL CONTAINMENT VESSEL i
1 l -i
=
l U
U
- 1. PRESSURIZER g g 6
~
g IN. CONTAINMENT I $
3 4
- 3. COLD LEG CONNECTION h
= 4. PRESSURIZER CONNECTION F EL G WATER 2
Y
- 5. IRWST CONNECTION I;~_43 V. M$
Q g
' _ 6. CORE MAKEUP TANK 5 '
d m
- 7. ACCUMULATOR
%9 o ;
e M==gn
'k g
t:r:.
Copyright 1990 by the American Nuclear
' Society, La Grange Park, Illinois.
Figure 3.1-4. AP600 Passive Safety injection During LOCA Initiation. [31)
(Westinghouse Drawing) 3-7
CONTAINMENT COOLING HE TED AIR DISCHARGE
/
PASSIVE CONTAINMENT COOLING SYSTEM WATER STORAGE TANK M STEAM
% WATER WITHIN THE RV CONTAINMENT COOLING AIR INLET
% WATER OUTSIDE THE RV
/
\\
m V/
II NNd*2 6-
/j
- O N
AIR BAFFLE f
i
\\
STEEL CONTAINMENT VESSEL 1
=
I o e U
P 4 U
-fi 7
{ 3.g y -
- h=
0
- 1. PRESSURIZER
= 2. STEAM GENERATOR IN CONT AINMENT 5
i UEL G ^ ER" y
- 3. COLD LEG CONNECTION p
ANK
.Na - %p b$
O Q
- 4. PRESSURIZER CONNECTION sfo 7
..k h[
- 5. IRWST CONNECTION N,jWi p 6. CORE MAKEUP T g
~j p
L_ 7. ACCUMULATOR
^
~~ y,-
w g
Copyright 1990 by the American Nuclear Society, La Grange Park, Illinois.
i Figure 3.1-5. AP600 Passive Safety injection After a LOCA. [31]
(Westinghouse Drawing) 3-8
contribution of the various natural process uncertainties which influence passive system mean failure probability, versus the contribution to system failure probability from component-type failures.
By making this comparison, those systems for which natural process uncertainties are expected to be important can ba identified. This screening or prioritization, along with the information from the sensitivity calculations described in Section 3.6, will provide input to the colection of the more important natural processes for the resource-intensive, dstalled assessment of process uncertainties in later phases of the study.
As discussed in Section 3.1.1, the AP600 design version analyzed for the system-level screening is that described in the Westinghouse AP600 PDR dated January 1989.
The numerous design changes that took place subsequent to the PDR were learned only after completion of the system-level analysis.
In addition, some clarifying information obtained after the analysis changed some assumptions about systems.
However, these changes generally were not radical in relation to the passive systems.
The passive-system-related changes included the following:
(1) incorporating more heat exchangers in the passive residual heat removal system, cnd changing some of the valving arrangements to accommodate the heat exchangers.
(2) a gutter arrangement directs most of the fluid condensed on the inside containment walls to the IRWST, instead of to the sump, as assumed in the screening (reference " sump injection / recirculation" in next paragraphs).
This is more of a design clarification than a design change.
(3) the valve configuration in the injection lines from the IRWST and Sump was changed to include more parallel valve lines.
(4) minor changes in the valve arrangements in the injection lines from the CMTs.
In addition, for events such as LOCAs requiring larger amounts of fluid makeup from the CMTs, the pressure equilibration line mainly serves to prevent water hammer, not as an alternative to the cold-leg equilibration line-(design clarification).
(5) passive, gas-pressure-driven containment spray is no longer necessary prior to use of the backup active cooling systems.
(6) based on our understanding, it appears that passive water spray on the exterior containment vessel (to allow evaporative cooling) is not necessary for containment heat removal, to avert containment failure and core damage; air cooling alone is adequate.
Because the results of the system-level analysis are essentially qualitative in nature, and the quantitative portion involves a lower-bound (not best) estimate, they are not expected to be greatly affected by the changes. The screening was therefore not redone to include the changes.
The remaining discussion of the screening analysis refers to the PDR-version of the AP600 design, not the updated design analyzed in the component failure quantification described in Sections 3.3 to 3.6.
l 3.2.1 Systems Included in Qualitative Analysis The systems examined as part of this analysis are the passive systems serving the emergency cooling and decay heat removal functions in the AP600.
These are front-line safety systems used for primary system and containment heat removal.
3-9
l l
The primary inj ection systems are the
- CMTs, ACCs,
The accumulators are pressurized injection tanks, as in a current-generation plant.
The recirculation associated with sump inj ection involves natural circulation and condensation of steam on the interior containment steel vessel (with heat then transferred to the containment vessel exterior), followed by drainage back to the sump for injection to the reactor vessel. In the analysis, the containment recirculation function was coupled with sump injection, because containment recirculation is needed for heat removal and (condensed) water supply to the sump.
The PRHR is a recirculation system which transfers heat to the IRWST from the primary system via natural circulation through the PRHR heat exchanger. Another system modeled, the interior containment spray system (CSS), operates by pressurized gas-induced flow. This passive system is autwatically actuated for radioactivity removal, but can be manually actuated to reduce containment pressure for some accident scenarios.
Finally, external containment heat removal involves gravity drain of water from the passive containment cooling water storage tank (PCCWST) on the exterior of the containment shell, combined with natural draft air and evaporative cooling.
In the system-level qualitative analysis, the external spray was combined with the air cooling in the model, based on the understanding that both evaporative and air cooling are needed for averting core damage in those sequences requiring containment cooling. Air cooling alone is assumed only to prevent containment failure following core damage. As mentioned previously, the assumption in the sequence-level quantitative analysis described in Sections 3.3 to 3.6 is that air cooling by itself is sufficient to avert core damage, based on more recent vendor information.
3.2.2 Screening Trees This section provides a brief description of each of the screening trees, developed according to the structure and content of Figure 2.2-2 (see discussion of the " Step 1" methodology in Section 2.2.1). These trees are developed for a single completely redundant train of a given system, e.g. one of two CMTs. Some discussion of the failures depicted on the trees are presented, along with a listing of the parameters or areas identified as influencing the natural processes. These processes and their influences are discussed further in Section 3.2.3.
With regard to the component-type failures on the trees, common cause valve failure contributions within a full system train have been included in the trees. After'the description of the screening trees, the data values assigned to the events in the screening trees will be discussed.
It should be emphasized that for the purposes of determining a lower-bound es timate (i.e., screening value) for component failure contribution, omitting a failure mode is conservative. This would hold true for any event under an "0R" (not an "AND") gate. This simply makes the lower-bound estimate smaller, and the natural process uncertainties will be evaluated as more important to system operation (and more likely selected for further analysis in later phases).
In these trees, items that were found not to significantly increase the screening value were not included on the tree; for example, locked-open manual valve 3-10
1 problems that have 'very low probabilities of occurrence were not included.
H: wever, in some cases, low-probability events such as tank failures were listed en the tree for consistency with Figure 2.2-2.
Human errors of commission have not been considered in the screening.
The following subsections describe the screening trees constructed for the verious passive safety systems included in the January 1989 version of the AP600 dssign.
Core Makeun Tank (CMT).
Figure 3.2-1 (page 3-14) presents the screening fcult tree for the CMT.
This tree represents failure of one CMT to inject its centents to the vessel.
This system operates by gravity injection, with two pressure equilibration lines from the top of the tank to the cold leg and to the j
pressurizer, so that injection can occur at any RCS pressure. The valve failures occur in the injection and pressure equilibration lines. Although the normally closed air-operated valves which open to allow system operation will fail open on loss of power or signal, a safety inj ection initiation signal must be gsnerated and transmitted from the sensor system in order for the valves to change state.
Failure of this system of transducers, transmitters, switches, etc. to sense and transmit the need for safety injection is represented by the "No Actuation Signal" event on the CMT, and on subsequent trees with similar fail-open valves.
The natural process of interest is gravity-induced flow to the reactor vessel via the direct vessel injection line. Here, the following parameters or offects influencing gravity injection have been postulated: design / construction errors, localized pressure effects inhibiting flow, initiator effects such as a break near the injection line, and possible subtle flow diversions.
Accumulator (ACC).
The screening fault tree for the ACC is displayed in Figure 3.2-2 (page 3-15).
The top event of interest is failure of one ACC to inject contents to the vessel. The only valves which must change state here are check valves. Plugging or failure of a motor-operated valve (MOV) to remain open is included in the model.
The nitrogen support system is not developed in the tree.
Flow diversions for this system involve diversion to the sump, CMT, or IRWST, with the most credible (although still unlikely) of which appearing to be.
the IRWST (two check valve failures). In this case, RCS inventory would also be l
lost to the IRWST if these check valves failed.
l The natural process involved is pressurized gas-induced flow to the reactor vsssel via the direct vessel injection line. The potential influences on natural process operation are essentially the same as the CMT, above.
Passive Residual Heat Removal System (PRHR).
The PRHR screening tree is given in Figure 3.2-3.
This tree models the failure of the PRHR system to remove core decay heat for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> via natural circulation (no RCPs, which provide some l
cdded forced circulation).
Valve failures are postulated for the natural circulation flow path. In addition, heat exchanger (HX) problems are considered for the PRHR HX located in the IRWST.
For this tree, two natural processes are involved.
The first is natural circulation of RCS coolant from the pressurizer surge line, through the PRHR HX, I
I to the cold leg of the steem generator channel head. The parameters or effects l
influencing the effectiveness of this natural process include the following:
l dssign/ construction errors, initiator effects, flow resistance uncertainties, 1
l 3-11
{
I
structural integrity of the piping, and variations in the temperature differential versus the IRWST. This process is coupled with heat removal from the PRHR HX via natural circulation in the IRWST, which is the second natural process involved in this system's operation.
The removal of heat from the PRHR HX by natural circulation in the IRWST is indicated as a support to the PRHR HX in the screening tree. This second process is influenced by several parameters: structural integrity of the IRWST and PRHR HX, possible flow obstructions or restrictions within the tank, the pressure of the tank / containment, and effects of operation of the depressurization system spargers, which discharge into the tank.
Variation in the heat transfer efficiency between the HX and the tank is part of the coupling to the PRHR natural circulation process.
IRWST natural circulation is coupled to the internal containment heat removal, because the heat removed from the PRHR HX is transferred, for the most part, from the top of the IRWST to the containment atmosphere.
i In-Containment Refueling Water Storage Tank (IRUST) Iniection. Figure 3.2-4 shows the IRUST injection (IRWSTIN) screening fault tree.
This tree depicts IRWST gravity injection to the vessel following RCS depressurization.
Valve failures on one of the two injection lines are indicated, as well as tank and piping problems. Flow diversion to the sump is conaidered the most credible of the diversion possibilities; one check valve must fail.
Gravity-induced flow from the IRWST to the reactor vessel via the direct vessel safety injection line is the natural process involved in this system's operation.
The possible parameters or effects involved include:
design / construction errors, localized pressure effects, initiator effects, use of PRHR HX or depressurization system spargers which discharge into the tank, and quantity of water supply.
This process may be coupled to containment heat removal for longer-term injection of water condensed on the containment shell.
Containment Recirculation and Sumo Iniection.
The containment recirculation / sump injection (RESMP) process is represented in Figure 3.2-5.
This process involves recirculation of steam from a break or from the depressurization system via natural circulation and condensation on the internal containment shell,. drainage back to sump, and gravity flow into the vessel from the sump through the direct vessel injection lines. One of two injection lines is modeled in the screening tree.
Plugging of the sump screen is indicated on the tree.
As was mentioned previously, these processes (containment recirculation and sump injection) have been combined into one tree because they are coupled for accident response.
Two separate natural processes are involved in this tree: sump injection by gravity flow, and natural circulation and condensation with gravity return of condensate to sump.
The first process may be subject to flow diversions, design / construction errors, pressure or initiator effects, lack of adequate water supply, and may compete with inj ection through a break in the RCS.
Sump injection is coupled with internal containment recirculation for water supply.
Natural circulation and condensation with return to the sump could be influenced by flow diversions of the condensate, design / construction errors, pressure and initiator effects on natural circulation, temperature and quality of the containment atmosphere, uncertainties in the flow patterns of the steam within containment, and the effects of passive heat sinks within containment.
This process is closely coupled to external containment heat removal.
3-12
Internal Containment Sorav System (CSS).
Figure 3.2-6 shows the CSS screening tree. This system operates by nitrogen gas pressure-induced flow from water tanks to spray ring headers within containment.
Valve failures are considered along with tank and piping failures. The nitrogen support system is not developed for this model, because the nitrogen tank failure probability is considered negligible and the tanks will likely be instrumented to detect leaks.
The natural process of interest is, as mentioned above, gas pressure-induced flow from the water tanks to the spray ring.
The possible effects postulated hare are design / construction errors, and variations in containment pressure, clthough the pressure variations are not expected to have a significant effect on system operation.
External Containment Heat Pemoval with Air Cooline and Water Surav (EXTCC)..
This screening tree is displayed in Figure 3.2-7.
The structure of this tree is somewhat different, because both the passive external containment spray system and alternate active system water sources (e.g. firewater) can potentially be used to deliver water to the surface of the containment shell. The valve, tank, cnd piping failures indicated on the tree are all associated with the passive containment spray system.
Also associated with this passive system is the natural process of gravity-driven flow from the passive containment cooling water storage tank (PCCUST) to the containment shell surface.
Here, design /
construction errors, tank structural integrity, and water temperature and quality variations may influence natural process operation.
The intermediate event indicated in the screening tree, " Failure to Spray Water on Containment Shell", requires both the passive external containment spray system and the alternate water sources to fail. The alternate water sources are represented by an undeveloped event that will be discussed further in the data section which follows. If water spray is established on the containment shell, edditional natural processes are involved in the containment cooling:
water spreading and evaporative cooling.
Here, water injected on the containment spreads over the surface via a system of weirs, receives heat transferred through the shell from the interior cf the containment, and evaporates.
This natural process can be influenced by design / construction errors, containment shell and building structural integrity, spray water temperature and quality, water spreading uncertainties and possible effects of rapid upward air flow, and the heat transfer efficiency and nature (e.g. locations of high heat transfer) from the interior of the containment shell. This process is coupled with the external air cooling process, internal containment heat removal / recirculation, and water injection from the PCCWST or alternate sources.
The external natural draft air cooling of the containment shell is a process which involves drawing air from the exterior of the concrete containment building, followed by natural draft air flow over the external surface of the containment shell (inside the containment building). This air removes heat from the surface of the shell, and is returned to the exterior of the containment building through the chimney at the top of the building. This process is subject to design / construction errors of the containment; initiator effects (primarily
" external events"); containment building and shell structural integrity; possible clogging of the water drain at bottom of the containment building, blocking air circulation if water collects in the area; external temperature and internal containment building air temperature; and variations in air quality and velocity.
The process is coupled to the external evaporative containment cooling, and the internal containment heat removal / recirculation processes.
3-13
a I
m
,..c.c v.u.ett.m.t.e.
t.
m C
inju.et t
see l
es 1
I I
f
"[M 'M" v.s T.at rips.e marun taret saras cm, c
I "h >
M D ues T **k
- F"*'*
'*N,P'"
?
K~2~ =:,'
i )I CA CAfflt i
i 1
I I
evertse avestie com
,e a= c e4 tas:
,*.e. h-
.. m _c..s.
.c.
h.e
. a.c. f,, e
- p. a.m.m, i
v....
...,.m_
~
.n, g
i f1 I
I mwTs.
rvrptes 1
I I
Evt#T3e c
- "C**
,,','*l ; =."..
n cd, o s m e.u e..c../t.o..a or..
a.e.a. a..a.cy r,,;;,gg.
i i
l u
1
.a t=
r m, rvm.
i i
r==
r=r=
l o, C./,O A.O, W
g c /,0 acT.
1 mem
-mw 9
i Figure 3.2-1.
Core Makeup Tank Screening Tree
. ~
l i
~
5
~
- ll 01
.i e,k 8 h-l
- f i
- ll OI i
i
_ f
- I Ol f
e 8
il 01
-l'y3 i
l Oi j
- ! 3 a
A l.
i A
3!
- ll!Cl E
- ll!01
-! 3
!!C!
9 nl,bh
~
3-15
f to f
I l
I
'~
Q=a Q
-4n T
=
h i.
I-i.f. $7. z;;'.
,,r.,,"d.=r,.,
= = =.. -
';rt.;%";l:'
- 4. w w
, T*. */" *
= =
- ,.
- =
~ y;; ~
C
~
Q Q
. Q Q
" t ".'r2 J
r I. Y,,,4, "-
- '"l=
~ T;.7 m'.;:::-
- r.t
- *m2 D
~%"EY FTFT7 PE"'t Preve I
I avretts aveytta suustas
- LLT
- ALT rene to epse pose to ep s
w
.W m r.
mmt i
e i
t
't 1
4 0
t e
i 4,
I i
s j
Figure 3.2-3.
Passive Residual Heat Removal System Screening Tree 1
}
- - -.., - - ~, - ~. -, -, -,, - -
.. - -, -., ~ ~. - -,,,. -.. - -
... - -.. - ~ -.... -
I C 'O C a:Ta'T3, O
I I
I i
i
$.Y..,,..Y.,#,
(TI.=* O ~e NUr-Tee,.e etynne i
T igc=1 n g; Or.
b_
b I
I I
I I
I I
.e
.== =
w T.
~~
~=>--
uv====
i eg-.g.=
m.g.i,
. 3 g.,
og,,,
u.
, 9,u::;;
y, mg..
,~,mg
=...
..- mm, m.,
9
)
i '-
M..i, ITTNTS ETtfrTT I
I FIGMCT WBGl.RCT DEGLECT ITENTt.
EvtWTtS
,",.'"'.4".
:=.==
37tNTs EvtPT39 w
.W W
i Figure 3.2-4.
Gravity Injection From In-Containment Refueling Water Storage Tank (IRWST) Screening Tree
1
.OYr m~
I I
I I
I veewee
- e. n, poteres 7
'L**8d w J.*T
-a.t:::.*
b)
.b,)
==
=_
=
I I
I I
I I
I a-,4~
g;~
T.'s'mt.
%= -
Ew -
=== -
1
.-ggm,.
- w. g...
m O
O v
5 Figure 3.2-5.
Containment Recirculation and Sump Injection Screening Screening Tree
fg 8
I I
I I
Te.k.
M.eng "q", Em
":: C:: :.T*
cv4 30
~ ~
h b__
Q
.b.
i I
I i
l l
i'*.1 i *.*O Q,p*
g'g"y*"
- C:"
b-W tatt fess-,)
9.ss2T W.st2T ETER,.
1 I
I I
I I
- ..ta*,
- .t..=.,.,.::~
,v.,./~.
.i!47,";":.
i
,W.
= =.. -
.b_.
)
b Treetta l
I
.wt.TE.
I 1
9.WTts
/ f.,i:'.:.:.
"f tl" :l-*
/.W : "."
7W...
~
b
.b..
.b...
4 e
S evre,e.
rerow i
1 i
//f* "
"* C.*,""
7isf f..".
C.*, ""
r.
f i
Figure 3.2-6.
Internal Containment Spray System Screening Tree 4
I 1
1 e
e-,-y,w m
we r.,-,-
,---ww--
-r,-
.,,,. ~, _,
.I. <m
. m mz O
s.gs.
I I
I
....,a.
c..
c c..
u,.
u, uvi i
I l
..*~~i
..nm,-
...=-m
=.T!.*O Q
M'5,%:.T.
r ry
.clbf 'h.
r.,
w... "in rJ
. %*t _A= I"'.E,
~'LSg"
?!: :4,*uen Lt.-as t
um ba I
i i
I
' 4. '.,'".,".,.::r.
w' T...
e n.. e..
m, o
ob uN um.
u I
I I
I I
I rTtm.T,./,Y.a.
e-=
T..=
,'.;',n ;;,.
.,,e.
m'.,.'-,";,r.,
....a..
c.-
c.-
u 5;..
T na
-staa T.u
/ei.
JatinMe.satL O
ut ETT.T:.
I l
.AT r.9C IDES.KT Pt9&BC, I.tyTE.
c.a 6
G.
19 I
I I
i mi..
= +, e.
,e
.e.
-n
.n i
i 3 mi.
i i
m T..
n, c..c.. :
.e.
n, e
.e.e a
Ev3pt.
E,t.T.
ETTFTt3 t,tWTte External Containment Cooling Screening Tree Figure 3.2-7.
3.2.3 Screening Data Values for Component Failures As discussed previously, the screening values for the component failures in the tree are to be lower-bound estimates.
In order to provide estimates for these events, available data for valve, tank, piping, heat exchanger and other failures were used.
The sources for data included the NUREG/CR-4550 methodology document (4), EGG-SSPE-8875 " Generic Component Failure Database for Light Water and Liquid Sodium Reactor PRAs" [34), NUREC/CR-4550 Vol. 3 (Surry level 1 analysis) [3),
NUREG/CR-4780 (Common cause Failure Procedures) [35), NUREG/CR-2728 (IREP Procedures Guide) [37], and the Westinghouse AP600 Plant Description Report.
I The sources and methods for estimating the screening values for the failure events in the screening trees will now be discussed. Figures 3.2-1 through 3.2-7 present the screening trees for the passive systems.
In the following paragraphs, a brief discussion of the screening value estimations for each of the major component failure areas (Valves, Tanks, Heat Exchangers, Piping, etc.) is presented. In this analysis, mean failure values from the various data sources have, for the most part, been reduced by a factor of ten (these values generally are assor!-ted with a reported error factor of three to ten). The exception is the sump screen plug event, which has a reported error factor of 100; the mean value indicated for sump screen plugging was reduced by a factor of 100 in this case.
Valves.
Table 3.2-1 provides a summary of most of the valve failures of interest, with the applicable systems for each event, the source, and the calculated screening value. The valve actuation signal event has been neglected on the various trees, based on low expected contribution and uncertainty about the proper estimate to use for this event.
Heat Exchancers. The PRHR is the only passive system with a heat exchanger.
Here, flow blockage and catastrophic tube rupture have been modeled.
The screening values applied were calculated assuming a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time, using 5.7E-6/hr for blockage and 3E-6/hr for rupture, both from Table 8.2-7 of [4].
I As with other screening values, the reference values were reduced by a factor of ten to obtain the screening values on the tree.
Tanks.
For CMT and ACC, tank rupture probability was calculated based on information in Table 1 of [34).
The applicability of this data is rather uncertain, but the resulting screening value is low enough (IE-7) that it does not dominate the screening.
A related event for the IRWST is structural integrity of the tank, which is considered to be of low enough probability not to affect the overall active screening value. For the internal containment spray system, the failure probability for both water tanks is considered to be negligible.
For the external containment PCCWST, tank structural integrity is to be considered under the natural processes, possibly as an initiator effect.
For the CMT, ACC, IRUST, Internal CSS, and PCCWST, maintenance-related failures to adequately fill the tanks are considered negligible, based on the expected likelihood of frequent surveillance or presence of level-ar.nunciators for these safety systems.
As mentioned previously, nitrogen support system models for ACC and CSS wre not developed.
3-21
1 Table 3.2-1. Valve Failure Screening Values c
EVENT APPLICABLE SOURCE SCREENING SYSTEMS (*)
VALUE N.C./F.O. A0V Fails CMT, PRHR,
[34), Table 1 lE-4/ demand to Open on Demand EXTCC (0.1
- lE-3/ demand)
A0V Common Cause CMT, PRHR,
[35), Table 3-7 lE-5 Failure EXTCC Beta Factor - 0.1 N.C./F.O. MOV Fails CSS
[3), Table 8.2-5 3E-4/ demand to Open on Demand (0.1
- 3E-3/ demand)
[35), Table 3-7 2.4E-5 Failure Beta Factor - 0.08 N.O. MOV Plugs CMT, ACC, PRHR,
[34), Table 1 4E-6/ demand IRWSTIN, RESMP, (0.1
- 4E-5/ demand)
CSS, EXTCC N.O. MOV Fails to CMT, ACC, PRHR,
[3], Table 8.2-5 4E-6/ demand Remain Open IRWSTIN, RESMP, same as MOV Plug CSS, EXTCC value N.O. A0V Plugs or CSS
[3], Table 8.2-5 4E-6 + 4E Fails to Remain same as MOV 8E-6/ demand Open Plugs /FTRO N.O. Manual Valve PRHR
[3), Table 8.2-5 4E-6/ demand Plugs same as MOV Plug value Check Valve Fails ACC, IRWSTIN,
[3], Table 8.2-5 1E-5/ demand to Open RESMP, CSS (0.1
- lE-4/ demand)
[ References are listed in the reference section of this report)
(*) System Acronyms are as follows:
CMT - Core Makeup Tank ACC - Accumulator PRHR - Passive Residual Heat Removal System IRWSTIN - Injection from In-Containment Refueling Water Storage Tank RESMP - Containment Recirculation / Sump Injection CSS - Containment Spray System (Inside Containment)
EXTCC - External Containment Cooling and Water Injection to Containment Shell Surface Pinine.
For each of the systems, piping integrity failures have been assumed to have a low probability and can be neglected.
Inj ection piping blockage has been assumed to be included in valve plugging events, for systems where plugging events have been included in the valve failure model:
For CMT, the value for injection line blockage is estimated by using the value in Table 8.2-5 of [4] for plugging of a manual valve (since a normally open manual valve is included in the injection line, but was not modeled under valves). For the EXTCC, injection line 3-22
blockage is estimated from a sump plugging value in Table 8.2-9 of [4] (as discussed in the next paragraph). This analogy is drawn because the PCCWST has one of its three suction lines originating in a sump area at the bottom of the tank.
Sump. For the RESMP tree, the sump screen plugging event is estimated from the value reported in Table 8.2-9 of [34); the value (SE-5/d) has been reduced by a factor of 100 since the error factor reported is 100. Structural integrity failure of the sump is neglected due to low expected probability.
Flow Diversions.
In many cases, flow diversions which are expected to be core subtle than a check valve failure in a sufficiently large diversion line are included under natural processes. These diversions are expected to degrade, but not completely prevent, the system's operation. Check-valve backflow diversions have been explicitly listed in the component failure portion of the trees for ACC and IRWSTIN.
Here, check valve (s) that are initially closed fail due to
" Catastrophic Internal Leakage", assigned a value of SE-7/hr for both [36) (Table 5.1-1) and [34) (Table 1).
Over a 24-hour period this amounts to about a 1E 6 failure probability, after reduction by a factor of 10.
For the ACC, two check valves must fail, resulting in a very unlikely diversion event. For the IRWST, just one check valve failing in this manner could produce the flow diversion, i
Human Actions.
Two operator actions appear on the screening trees.
One involves operator action to align and start alternate water sources to inject to the containment shell surface for EXTCC, after failure of passive injection or exhaustion of the water supply in the PCCWST.
The second event is operator failure to actuate the CSS system.
The values for these events are estimated based on vendor information.
3.2.4 Results of Component Screening Calculations The overall lower-bound estimates for component failures for each of the screening trees in Figures 3.2-1 through 3.2-7 are summarized here:
PASSIVE SYSTEM LOWER-BOUND SCREENING ESTIMATE CMT 1.4E-5 ACC 2.8E-5 PRHR 4.3E-5 IRUSTIN 2.9E-5 RESMP 3.9E-5 1
CSS 8.2E-4 EXTCC: Total, with 1.0E-9 Active Alternate Water System
{
(EXTCC: Passive 1.0E-5
~
Spray Only)
As can be seen from this listing, with the exception of CSS and EXTCC with alternate water sources, all values for the total lower bound for component failures fall between 1.0E-5 and 4.3E-5, a very narrow range. With the component failure lower-bound estimate approximately equivalent for these systems, the 3-23
i preliminary prioritization of the systems will be based entirely on the character of the natural process uncertainties involved, and the system's perceived importance to accident mitigation. Note that the latter consideration is more systematically handled by the sensitivity calculations described in Section 3.6.
Two systems fall outside this narrow range of active system estimates: CSS and External Containment Cooling with alternate active water systems in addition to the passive PCCWST injection system.
Since the lower-bound estimate for CSS component failures is approximately 20 times higher than the next highest system (PRHR), it stands out as a more likely candidate for screening from further consideration of natural process uncertainties. In fact, as is discussed in the next section, this system has fewer and less significant natural process uncertainties versus other systems. Also, based on an understanding of the newer i
design version, CSS no longer plays a role in averting core damage. With this higher screening estimate and the other considerations just mentioned, CSS is assigned a very low priority for further analysis.
For the EXTCC system with active alternate water sources modeled, the lower-bound estimate is very low.
Therefore, the contribution to the total system failure distribution from the numerous natural process uncertainties will likely be significant. Depending upon the importance of the system to accident mitigation, this may be a likely candidate for natural process assessment.
3.2.5 Natural Process Discussion The, result of the active component screening is that the total active failure screening probability for nearly all the passive systems are essentially equivalent (except CSS and EXTCC). Thus, for the AP600 anyway, this quantitative screening step did not provide a basis for screening many systems from further analysis.
Attention must therefore be focused on the natural process uncertainties influencing each system's operation, as well as system importance to accident mitigation, in order to prioritize the systems for later analysis.
4 In this section, the natural process uncertainties for each system will be examined qualitatively. Arguments will be presented regarding the importance of specific uncertain parameters, and which uncertainties will likely be eliminated 1
from further consideration. The expected importance of the system in the context of accidert mitigation will also be discussed.
All of this information feeds into the prioritization of the systems and natural processes for further analysis, and, when combined with the sensitivity calculations described in Section 3.6, will provide the basis for selecting natural processes and system success / failure combinations for in-depth assessment.
Table 3.2-2 provides a summary of the natural processes involved in the operation of each of the passive systems.
As can be seen in the table, gravity-induced flow and natural circulation are involved in several systems' operation.
In Table 3.2-3, the natural process parameters / uncertainties applicable for each system and process are indicated.
These are the uncertainties listed in the
" Tabular Or" for each natural process in the screening trees (Figures 3.2-1 through 3.2-7).
This list should contain most of the important uncertainties, 3-24
f I
Table 3.2-2. Natural Processes Involved in AP600 Semi-Passive Safety Feature Operation.
APPLICABLE PROCESSES I
SEMI-Natural Evaporative Conden-Gravity Gas PASSIVE Circulation of
& Radiative sation Induced Pressure SYSTEM Air / Vapor / Liquid Cooling Flow Induced Flow CMT X
ACC X
PRHR X
IRWSTIN X
RESMP X
X X
CSS X
X i
EXTCC X
X X
but more will likely be identified in later phases of the study when the thermal-hydraulic models are developed.
In this table, some of the items are specific parameters, such as temperature, and would be examined in the in-depth analysis as variations due to uncertainty in the parameter.
Others, such as initiator effects, could be considered in the natural process analysis by their affect on parameters in the system model.
Process uncertainties of note are dasign/ construction errors, initiator effects, and pressure effects, all of which apply to many of the systems (design / construction errors apply to all).
Table 3.2-4 provides a depiction of the coupling among the various natural processes. Three main types of coupling are indicated: heat transfer from one system boundary to another, water supply for one system dependent on the functioning of another, and interaction between two systems if both operate in a particular accident sequence. The table is in a matrix format with the same systems / processes listed down the first column as across the top row. They are dsnoted "A" and "B" respectively. Heat transfer interfaces indicate transfer of hsat from process "A" to process "B".
Water supply is indicated as process "B" supplying process "A". The couplings listed in this table must be considered in j
the natural process assessment, either through simplifying assumptions (e.g'.a conservative, constant heat transfer rate through an interface), or through datailed modeling of the uncertainties involved in the coupling.
For each of the passive systems, the following sections will discuss the system's l
natural process uncertainties in terms of their potential to contribute i
(Text continues on Page 3-30) i l
l 3-25
Table 3.2-3. Natural Process Parameters / Areas of Uncertainty.
NATURAL PROCESS SYSTEMS /PR0 CESSES PARAMETERS /
UNCERTAINTIES CMT ACC PRHR IRWSTIN RESMP CSS EXTCC Grav.
Pres Nat.
IRWST Gravity Grav Nat.
Pres Steam Spray HO Air 2
Inj.
Inj.
Cire Heat Inj ect Inj.
Cire.
Inj.
Cond.
Cool Cool PRHR Rmvl.
&Cond.
Design /Const. Errors X
X X
X X
X X
X X
X X
X Initiator Effects X
X X
X X
X X
X Local Pressure Effects X
X X
X X
X Subtle Flow Diversions X
X X
Flow Resistance X
Flow Restrictions X
w L
Struct. Integ.: Piping X
e Struct. Integ.: Tanks X
X Struct. Integ.: CNT X
X Temp. Differential X
Tank /CNT Pressure X
Effect of Depress.
X X
Sys. Operation Effect of PRHR HX Use X
Water Supply X
X X
Poss. Recire. Inj ect X
through Break
Table 3.2-3. Natural Process Parameters / Areas of Uncertainty (concluded).
NATURAL PROCESS SYSTEMS /PR0 CESSES PARAMETERS /
UNCERTAINTIES CMT ACC PRHR IRWSTIN RESMP CSS EXTCC Crav.
Pres Nat.
IRWST Gravity Crav Nat.
Pres Steam Spray HO Air 2
Inj.
Inj.
Cire Heat Inj ect Inj.
Cire.
Inj.
Cond.
Cool Cool PRHR Ray 1.
6Cond.
Temp./ Quality of CNT X
X Atmosphere Flow Pattern X
Variations Effects of Heat Sinks X
in CNT CNT Pressure X
Temp./ Quality of Spray X
Temp./ Quality of Tank X
X Water Water Spreading X
Effects i
Shell Heat Transfer-X Local Effects Clogging of Drain-X Restricting Air Flow l
Exterior / Interior CNT X
Building Temperature Exterior Air X
Quality / Velocity
lll
!l l
r o 1
3 iAoC C
l O o C
2 1
3 T
Ho X
C E
yar 2
p S
m.
ad S
en 3
t o E
S SC S
S C
s.
S ej 2
rn E
PI C
se O
.d s)
. e t
n s e R
r 1
2 2
eg a
o 3
i ca P
N C
P M
C &
op r
S
/
E Pt x R
S v
l e aj an r
M rn CI un E
t o a
Ns T
N y t r
I t
c S
T i
f e e
ob S
v 3
m Y
W ajn gu R
r I S
I G
nn i
lf po T
B t
u S
l a
on W
v 1
3 e
C o R
m i
R H
I R
.t H
4 a R
- n P
eR
- 2. la t rH air 3 p NCP x
eE l(
s.
b C
a C
ej T
A rn PI T
v M
ajn C
r I G
n g
o n
d n
g i
n i
n S
t e
o t
y j
E r
i aX t
y l
n o
l i
c S
u t
eH i
t a
I n
y o
l C
e S
s a
a o
o Hm v
i r
mo E
j sn l
n n
d r
C o
n a
v u
e ai C
eo u
To r
a t
o o
n p
C I
r et S
r O
ri c
r i
i a
S G
r a
u t a F
t t
e r
" R Pt Rr U
G N
y s
S s AP c
i c
c n
t i
s n
t H
R C
l Ne e
o a
A
" /
se i
R I
e
- e i
C W
a j
Pj P
r Sd v
aj P
I SM C n l
v T
M M
P S n C
n n
t a
E I
a Ro S
S S
C o I
I a
T r
l X
C T
r m
W E
E C
H C
C u
Re R
R Ru S
E C
C SY C
t R
c C
T P
I S
T A
a r
T X
S C
N i
X E
M C
E C
,h 7I; i1 l
g..
T&ble'3.2-4. Coupling of Natural Precssses-(ctntinued).
~
Fwn1=n= tion of N==hers 1.
Heat transfer interface from. process "A" ' to process "B"
(consider variations in - parameters, -such J as.
temperature differential, transfer coefficient, etc., associated with this coupling).
i 2.-Process "B" provides water supply.for process "A".
4
- 3. Possible interaction if both systems / subsystems operate in an accident sequence.
- Included under temperature / quality of containment atmosphere parameter in Table 3.2-3.
l i
l d
T 3
m
)
1 r
i i
h' 4
5 i
i 4
5 i
____._______________________.__._______________.__..._,_____.._........._.._.__.-..,...._a-,;.__.,___
._._..___...,..2-
i to system failure. Insight as to the system importance for accident mitigation is provided in a very general way, and is based, as discussed previously, on the January 1989 version of the design.
The sequence-screening based on the sensitivity calculations discussed in Section 3.6 will determine system importance in a more systematic, quantitative manner for the more recent design version.
Relevant vendor analyses and tests will be briefly discussed, along with any other arguments related to establishing the importance of the process uncertainties.
3.2.5.1 Core Makeun Tank Four process uncertainties have been identified for the CMTs.
Design /
construction errors are the first set.
These uncertainties appear for all the passive systems, and involve such possibilities as improper sizing of components, specification of incorrect materials, or construction outside design-specified tolerances.
Of course, all the natural process uncertainties which could potentially contribute significantly to system failure could be classified under
" design errors".
However, what is meant by this term in the context of this analysis are more " routine" design errors, such as use of improper analytical models to design a component. As such it is expected that current and planned experiments to verify analytical models and CMT performance, along with extensive design review for plant certification would reveal a number of such errors.
Similar arguments can be made for the other systems, particularly those for which specific tests are planned during the pre-certification phase.
According to documents describing preliminary plans for design certification tests, these would include the CMTs, PRHR, recirculation, and external containment cooling.
All of these systems have been, or are planned to be, the subject of testing.
As for construction errors, the claims of extensive factory fabrication with associated quality control, along with site quality assurance can be applied to argue that a number of these errors would be identified before plant startup.
Also, although it is not presently clear what specific pre-commercial testing will be performed for the advanced plant, such tests would aid in revealing some design and construction errors. Such testing could conceivably be performed for CMT, ACC, PRHR, and IRWSTIN.
Design / construction errors will generally be difficult to characterize. These are potentially important to system failure, and could be expected to be particularly important for ALWRs in early etages of commercial operation, without confidence that many such errors have been uncovered in numerous years of operating experience, as for current-generation plants.
Initiator effects would involve processes such as partial diversion of fluid through a break near a safety injection line. These are more subtle and involve degradation of system performance, rather than the " smart break" (break of the direct vessel safety injection lines) events that alone fail the affected train of the system. These sorts of failures can be postulated for many of the passive systems.
In the case of the CMTs, sensitivity to LDCA location affecting pressure equilibration or involving flow diversion should be examined in the CMT natural process analysis.
The vendor has performed some thermal-hydraulic analyses in this area, and there will probably be more performed in support of licensing. However, additional effort is necessary to provide quantification (in 3-30
the context of natural process uncertainties) of this potentially important cffect. - Sensitivity to non-IDCA initiator effects is felt to be of lesser importance for the CMTs. This is also generally true for other passive systems, with the exception of PRHR.
Local pressure effects are uncertainties affecting injection systems, where non-uniform pressure in the injection / pressure equilibration path might inhibit flow.
l These are similar to initiator effects, described above. An example for the CMTs is' complete quenching of the steam which, after CMT actuation and RCP trip, travels from the stratified cold leg to the top of the CMTs through the pressure i
squalization lines. This may cause a pressure drop at the top of the tanks, and -
inhibit gravity injection. There is some question whether scaled model testing i
cr thermal-hydraulic modeling without great detail would identify such effects.
These effects should therefore be considered in further in-depth analysis.
?
Subtle flow diversions that might be postulated for the CMT would involve fluid 4
interactions between the CMT and the pressure equilibration to the pressurizer
(
or cold leg.
These interactions have been addressed to some extent by vendor i
enalyses, and are considered of somewhat lower priority for future analysis than initiator and pressure effects, i
Bzsed on the above discussion, the natural process uncertainties which should be censidered for their affect on CMT performance include design / construction 1
orrors, initiator effects, pressure effects, and to a lesser extent, subtle flow j
diversions. In terms of importance to accident mitigation, the CMTs and ACCs are
{
the only high pressure injection systems, and are therefore considered important to accident mitigation. Without depressurization, these two systems are the only c2ans of injecting coolant under high pressure conditions.
3.2.5.2 Accumulator The natural process uncertainties listed in Table 3.2-3 for the' accumulator (ACC) f cre design / construction errors, initiator effects, and local pressure effects.
i The description of these effects given for the CMTs in the previous section gsnerally applies to the ACCs, with the exception of the CMT pressure squilibration lines. Because the AP600 accumulator is basically the same concept cs those in current-generation PWRs., all of these effects are generally of lesser cencern since the ACC is a more " proven" current technology versus the other psssive systems.
On the other hand, the ACCs are considered to be of similar j
importance to accident mitigation as the CMTs, as discussed above. Still, it is felt that the natural process uncertainties are of lesser concern for the ACCs, bscause the ACC is a more proven concept.
3.2.5.3 Passive Residual Heat Removal System I
The PRHR is divided into natural circulation in the primary and IRWST heat removal from the PRHR HX. There are numerous uncertainties listed in Table 3.2-3 for these two processes.
Design / construction errors appear for both and are
[
likely important, even though the system will be subjected to extensive vendor testing and thermal hydraulic analyses, based on testing plan documents.
i i
3-31 1
For natural circulation in the PRHR, initiator effects, local pressure effects, flow resistance uncertainties, and temperature differential sensitivities have all been identified as potential natural process uncertainties. These numerous uncertainties all have the potential to influence system performance. Another parameter indicated is structural integrity of the system piping; this uncertainty, involving degradation of structural integrity as a result of or l
during system operation, is expected to be of lesser likelihood (and thus importance) for internal initiators than the other uncertainties, j
For IRWST heat removal (which is coupled to containment heat removal), the following are postulated as possibly influencing heat removal capability: flow restrictions / obstructions in the tank, the effect of operation of the depressurization system spargers, and the effect of varying water level in the tank. Again, structural integrity of the tank is indicated, but is considered unlikely to influence system failure significantly.
The influence of tank / containment pressure is likewise felt to be of lesser importance.
Some of these process uncertainties, such as varying IRWST water level over the mission time of the system, are addressed to some extent in analyses or planned experiments.
However, it seems likely that the processes will be sensitive to these uncertainties. The uncertainties should therefore be considered for their contribution to system failure. The PRHR is important for transient initiators.
However, alternate active systems can perform the PRHR function for each of the initiators, so the system is probably somewhat less important versus CMT and ACC for accident mitigation.
3.2.5.4 IRUST Iniection The gravity injection of the IRWST to the vessel is influenced by some of the same processes as CMT inj ection.
Design / construction errors should be considered, and pressure and initiator effects are potentially important for this system.
In addition, the effect of depressurization system operation and PRHR HX use may affect conditions in the tank and thus the injection capability.
These are felt to be less significant considerations.
The question in some accident sequences of longer term water supply to the IRWST involves coupling to containment recirculation.
The large water supply in the IRWST is very important for LOCA mitigation, but alternate means (a backup active cooling system) for injection will also deliver the tank contents should valves fail to open or the natural process of gravity injection not be adequate to cause injection.
IRWST injection, similar to the PRHR, is thought to be less important relative to CMT and ACC in terms of accident mitigation.
3.2.5.5 RESMP Internal Containment Recirculation and Sump IniectioD l
Gravity injection from the sump could potentially be affected by some of the same design / construction errors, initiator and pressure uncertainties as CMT effects, and subtle flow diversions.
Any of these could be contributors to failure of sump injection to the vessel.
Another consideration affecting the process is possible injection through the break.
This could be modeled as an l
3-32 1
citernate route for sump vessel injection. Gravity injection from the sump is J
coupled to containment recirculation, l
i The containment recirculation process could be influenced by design / construction crrors, initiator and pressure effects (such as steam break location), flow diversions, temperature / quality of the containment atmosphere, flow pattern 1
cffects, and effects of heat sinks within containment. The natural circulation cnd condensation processes involved will likely be sensitive to variations in crch of these parameters.
Flow diversions of the fluid such that it does not rcach the sump (or the IRWST in the revised July 1991 design version) for racirculation to the vessel is potentially an important consideration.
The l ~
offect of a lack of containment integrity on flow diversion potential should be c:nsidered.
The remaining parameters would each impact heat transfer offectiveness in some way.
This process is an important one in terms of accident mitigation in that it is coupled to numerous other processes. Scaled testing of the overall containment haat removal process (internal and external) is planned by Westinghouse, and may rssolve a number of the major uncertainties.
However, it is not clear that tasting alone or in conjunction with some thermal-hydraulic modeling would rasolve all important uncertainties, such as initiator effects and coupling with other processes.
The containment recirculation process is a complex one, potentially affected by many different parameters.
This leads one to the conclusion that, based on the number of uncertainties, containment recirculation chould be a relatively high priority for in-depth assessment.
3.2.5.6 Containment Sorav System (Internal) l The containment spray system involves both pressurized gas-induced flow to the l
cpray ring header, and steam condensation by the spray. Pressurized gas-induced flow has few uncertainties postulated; design / construction errors and containment pressure are considered minor influences to system failure versus the higher cetive failure contribution (due to the need for operator actuation).
The steam condensation process potentially could be affected by initiator effects l
(e.g. LOCAs), and temperature / quality of the containment atmosphere and the spray water.
This process could interact with containment recirculation if both processes function during accident mitigation.
Because this process is essentially the same as for current-generation PWRs (with pumped water supply),
with the exception of possible containment recirculation process interaction, this can be considered more a " proven" technology, as are the ACCs. The system is of much lesser importance to accident mitigation, and is assigned a low priority for further analysis.
3.2.5.7 External Containment Cooling The external containment cooling system is an interesting combination of several n:tural processes. Gravity injection of spray to the containment shell surface (for which an alternate active system exists), radiative, evaporative, and natural convection air cooling of the containment surface are all coupled to provide overall external containment heat removal to the ultimate heat sink.
3-33
The gravity spray portion of this system is probably the least likely to be affected by process uncertainties:
it may be affected by design / construction errors, structural integrity of the tank (lower likelihood except for external initiators), and temperature / quality of the tank water (probably not a large contributor to system failure).
One may note from the screening tree (Figure 3.2-7) that these processes only feed into success of the spray, and not overall containment cooling (because of the alternate spray source); the screening value which should be used for these processes is lE-5.
These natural process uncertainties, and thus this natural process in general, are therefore not of high priority for further analysis.
The water and air cooling of the external containment shell are the subject of numerous vendor tests and analyses. These processes are of particular interest because their active screening value is so low (IE-9), making any natural process uncertainty contributions to system failure potentially more important (although the overall failure probability may be low).
The water cooling process involves gravity flow of the water over the surface of the shell, with evaporative and radiative cooling to remove heat from the containment interior.
Considerations for this process include design / construction errors, containment integrity, temperature / quality of water, water spreading effects, and heat transfer variations from the containment interior.
The numerous past or planned tests for the containment heat removal system should reduce the likelihood of design errors, but these must still be considered. For this process, construction errors may be of slightly higher concern than for other processes if the design tolerances are very small in order for the system to operate.
Containment shell integrity may be a concern as a result of use of the spray (cooler water injected on hotter steel shell). The temperature / quality of water are parameters that could affect the process effectiveness.
Water spreading effects have been examined in vendor tests / analyses, but are still of interest.
One uncertainty, water film disturbance due to rapid upward air movement, is probably not as important based on preliminary estimates of the maximum air flow expected and the estimate for the air velocity needed to disturb the film; the latter exceeds the former based on vendor test / analysis results.
Flow ma1 distributions on the surface of the shell could in general be important for heat removal and, to a lesser extent, for structural integrity of the shell due to thermal stresses. Flow ma1 distributions were examined in preliminary vendor tests, and some sensitivity to this parameter was found.
The external air cooling process is postulated to have the following natural process influences: Design / construction errors, initiator effects (essentially only external events, which are not being considered in this analysis),
structural integrity of the containment building, clogging of water drain or other obstructions to air flow, exterior and interior containment building temperature, and external air quality / velocity.
As for the evaporative / radiative cooling processes, design errors may be lessened due to the numerous containment cooling tests and analyses planned or completed, 3-34
but construction errors may be more important if design tolerances are small for the structures.
Structural failure of the containment building itself is not c:nsidered to be a likely outcome of system use, except when external initiators cre considered.
i Clogging of the water drain located at the bottom of the annular flow area was p:stulated for this screening analysis. A rough calculation was performed of the vslume of water needed to fill the annulus up to the point where air flow is ecmpletely obstructed.
Assuming full or partial clogging of the drains, the amount of water in the PCCWST would be enough to fully or partially block air flow in the annulus.
Full blockage might occur if about 70% of the fluid injected on the containment surface did not evaporate. Based on this very rough csiculation, this effect may need to be considered in future analyses.
Other cbstructions of the air flow are also potential uncertainties to be considered in the analysis.
Exterior and interior containment building air temperature and quality are parameters which should be investigated further.
The effects of external air speed and direction have been the subj ect of vendor testing, which indicated gsneral insensitivity to these parameters. Although of much lower priority, some further examination of sensitivity to wind velocity may be warranted to determine if this should be a parameter considered in later analysis.
This system, in the January 1989 version of the design, is thought to be of lesser importance to accident mitigation versus CMTs or ACCs.
Based on an understanding of the newer July 1991 design version and thermal-hydraulic calculations performed by Westinghouse, the water spray portion of this system is of very limited importance to accident mitigation. However, the spray system is important in its interface to internal containment heat removal, affecting internal containment processes.
3.2.6 System-Level Screening Analysis Conclusions Based on the arguments presented in Section 3.2.5, and the results of the rough component failure screening analysis, a preliminary prioritization of passive systems has been constructed.
For two of the systems, EXTCC and CSS, the numerical screening on active failure contribution actually aided in the prioritization.
However, since the remaining systems' screening numbers fell within a very narrow range, their ranking is based more on qualitative arguments regarding natural process uncertainty importance. Some information from vendor cnalyses and tests was applicable for ranking of specific uncertainties within a system. Nonetheless, most of the reasoning for prioritization of the remaining systems centered on the character of the natural process uncertainties for a given system:
each system's set of process uncertainties was examined (qualitatively) to determine which uncertainties were most likely to contribute to system failure. The more important uncertainties identified for each system were compared to those for other systems, in order to rank the systems roughly in terms of the expected influence of their natural process uncertainties on system failure.
Also considered, but to a lesser extent, was the expected irportance of the system to accident mitigation. This importance is addressed tore formally (quantitatively) in the sequence-level sensitivity calculations described in Section 3 6.
3-35 i
The results of this ranking are presented below.
First the system is listed, then the natural process (es) involved in the system's operation (in decreasing priority), and finally (in parenthesis) the more important natural process uncertainties for that system. A " tie" among three systems is indicated, because of the coarse nature of this screening. The qualitative information for these systems was not enough to make a decisive ranking. They are listed in decreasing order (3A, 3B, 3C) according to the best estimate for their natural process uncertainty importance.
PRELIMINARY RANKING OF PASSIVE SYSTEMS AND THEIR NATURAL PROCESSES (With Their More Imoortant Natural Process Uncertainties Listed)
- 1) EXTCC Water and Air Cooline of hizh oriority for analysis with the j
around that of the Gravity-Driven Sorav of much lower oriority Accumulators (oriority 6).
I (Design / Construction errors, temperature / quality of water spray, water spreading effects, shell heat transfer rate, clogging of drain or other flow obstructions, exterior / interior containment building temperature, external air quality and velocity, and construction errors)
- 2) RESMP i) Natural Circulation and Condensation (Containment Recirculation)
(Design / Construction errors, initiator / pressure effects, flow diversions, temperature / quality of containment atmosphere, flow pattern variations, heat sinks in containment) l ii) Gravity Iniection from Sumo (Design / Construction errors, initiator / pressure effects, flow diversions, recirculation injection through the break, coupling to containment recirculation) 3A) PRHR i) Natural Circulation (Design / Construction errors, initiator / pressure effects, flow i
resistance uncertainties, temperature differential, coupling to IRWST heat removal)
- 11) IRUST Heat Removal (Design / Construction errors, flow restrictions / obstructions in tank, operation of depressurization system, water level in tank, coupling to containment recirculation) 3B) CMT Gravity Iniection (Design / Construction errors, initiator / pressure effects, subtle flow diversions) j 3C) IRWSTIN Gravity Iniection (Design / Construction
- errors, initiator / pressure
- effects, coupling to containment recirculation) i
- 6) ACC Pressure-Induced Flow (Design / Construction errors, initiator / pressure effects) i 1
3-36
~
b
- 7) CSS i) Condensation of Steam (Design / Construction errors, initiator effects, temperature and 9
quality of containment atmosphere and spray water)
- 11) Pressure-Induced Flow (Design / Construction errors)
As can be seen from the list, external containment cooling is highest, due to the low active screening value, and the large number of potentially important natural process uncertainties. Note that gravity spray injection for the containment is l
by itself considered a lower priority for analysis. Also of note, however, is that in the newer design version analyzed in the sequence-level quantitative enalysis (Sections 3.4 through 3.6),
external containment cooling is not j
considered important to accident mitigation.
Thus, when considering the newer dasign version, the priority of including the system in later natural process assessment should be greatly reduced.
RESMP is the next highest priority following EXTCC, also because of a large I
number of natural process uncertainties, and because of coupling of containment i
recirculation to other natural processes.
As indicated, containment recirculation should be considered before sump injection for in-depth assessment.
The three tied systems all have potentially important natural process i
uncertainties, but to a lesser extent than EXTCC and RESMP. PRHR seems to have the more 1.ikely contribution of process uncertainties to system failure, followed closely by the two gravity injection systems: CMT and IRUSTIN. The ranking of these should be resolved based on the results of the sequence-level calculations.
The ACC and CSS are last, partially because of the argument that they closely represent " proven" technology of currently operating PWRs.
CSS also had the highest active failure screening. Both these systems are perceived to have fewer natural process uncertainties of importance.
In summary, the AP600 passive safety systems included in the January 1989 version of the design have been ranked in a preliminary manner, according to the importance of their natural process uncertainties to system failure. This list was based on both active failure screening and largely qualitative arguments regarding natural process uncertainties. Factored in to a lesser extent was the expected importance of the system to accident mitigation; this is handled more systematically in the sensitivity calculations described in Section 3.6.
The actual selection of natural processes for in-depth analysis will likely be influenced by modeling limitations and economics, in addition to the ranking presented here.
3.3 Systems Analysis I
i
'Ihis section describes the systems analysis tasks necessary for the sequence-level quantification discussed in Section 3.6.
The methodology for the i
component failure quantification is described in Section 2.2.2.
The systems j
enalysis involves constructing fault trees for each of the passive safety systems serving the AP600 emergency cooling and decay heat removal functions. Somewhat less detailed fault trees or system reliability estimates are provided for the 3-37
+9
-sqn--.,w-
-m.
-m--,
,<-- -v---
-m-
.r-m.
y
-g.--w--w,-
-:--.y.
y.-3
-w s,.yy 47
,-.-,+-s wy---,--m-g
--y-.+-+
e
-w-.
g..
yg-maeI
p.
non-safety active and ' support systems. The reason for the less detailed active system trees and reliability estimates is that the focus of the study is on the passive systems, and resources have been concentrated in this area.
Also, in some cases inadequate information is available for modeling of a system; system reliability estimates are required in these cases and are generally based on Westinghouse estimates.
It is important to note that much of Section 3.3 is contained in proprietary appendices to this report.
These appendices must be protected as proprietary because they contain information regarding the Westinghouse system success criteria, which are proprietary. These Westinghouse success criteria formed the basis for the " base-case" success criteria incorporated in this systems analysis.
Sensitivities to the system and sequence-level success criteria are investigated in Section 3.6.2.
Much of the fault tree discussion and all of the actual fault trees are contained in proprietary appendices.
Section 3.3 discusses the fault tree development task, including system descriptions and modeling assumptions. In the case of active systems for which I
a fault tree was not developed, the system reliability estimates are discussed in Section 3.5.
Again, only the emergency cooling and decay heat removal functions are being analyzed for the sequence-level component failure j
quantification; as such, no reactivity control systems are included in the l
systems analysis task. Also, component control and actuation systems were not handled in a detailed manner, so that the greater dependence on computer software in the AP600's design of these systems is not reflected in the models, j
1 J
The design version analyzed in the systems analysis incorporates design changes and clarifying information obtained through July 1991.
This represents an updated version over that analyzed in the system-level qualitative analysis discussed in Section 3.2, which was based on January 1989 design information, i
However, numerous design changes have occurred since the completion of this analysis, and this should be considered when viewing the system information and analysis results in this report.
3.3.i Fault Tree Development The fault tree development task of the passive system reliability program involves creating relatively detailed fault tree models for the AP600 passive systems and less detailed models for other non-safety accident mitigating and support systems. Table 3.3-1 provides a summe.ry of the modeling approach for the systems included as top events in the accident sequence event trees described in Section 3.4.
(Note: a " smart-break" IE A refers to a small or medium break in one of two Direct Vessel Injection (DVI) lines, which disables all passive injection trains which feed the vessel through that DVI.
The DVIs are also referred to as Safety Injection Lines on the schematics in this section.) The simple reliability estimates or human reliability estimates indicated in the table are discussed in the data analysis description, Section 3.5.
The support systems include component cooling water, for which a system reliability estimate was calculated, and AC and DC power supplies, for which relatively detailed fault trees.were developed.
4 3-38 1
I l
E l
}
I i
f TABLE 3.3-1 SYSTEMS ANALYSIS
SUMMARY
)
EVENT TREE DESCRIPTION TYPE OF MODEL TOP EVENT ACCl Accumulators, success criterion for a Fault Tree non-smart-break LOCA ACC2 Accumulators, one of one success Fault Tree criterion for a smart-break LOCA CI Containment Integrity; represe'nts Reliability Estimate isolation of the containment needed
(
for internal containment recirculation processes CMTl Core Makeup Tanks, success criterion Fault Tree for a non-smart-break LOCA CMT2 Core Makeup Tanks, one of one success Fault Tree criterion for a smart-break LOCA
- DEP02, Operator actuation of the DEPX and CMTl Fault
- DEP03, depressurization system and Core Trees combined with DEPO 4 Makeup Tanks (Feed & Bleed)
Human Reliability Estimate DEPl Automatic Depressurization following Fault Tree a large LOCA DEP2 Automatic Depressurization following Fault Tree a Medium LOCA DEP3 Automatic Depressurization following Fault Tree a Small LDCA DEP4 Partial depressurization Fault Tree ECC External Containment Cooling, either Fault Tree for Passive I
(Sensi-by passive water injection to Coolant Injection; tivity containment shell or by operator Reliability Estimate Event actuation of active alternate for operator action Trees)
(Firewater) system and Firewater system component failures IRT1 Gravity Injection from the In-Fault Tree containment Refueling Water Storage Tank (IRWST), non-smart-break LOCA IRT2 Gravity Injection from the IRWST, Fault Tree through one of one line (smart-break LDCA) 3-39
i TABLE 3.3-1 Continued.
SYSTEMS ANALYSIS
SUMMARY
EVENT TREE DESCRIPTION TYPE OF MODEL TOP EVENT MFW Main Feedwater System Reliability Estimate NRH1 Normal Residual Heat Removal System:
Fault Tree RCS Recirculation Function NRH2 Normal Residual Heat Removal System:
Fault Tree Inj ection and Recirculation from IRWST PRH Passive Residual Heat Removal System Fault Tree RPT Reactor Coolant Pump Trip Reliability Estimate SFW Startup Feedwater System Simplified Fault Tree SGI-0 Operator Isolation of Steam Generator Reliability Estimate after Tube Rupture event SMP1 Internal Containment Recirculation-Fault Tree (Sensiti-Sump Inj ection, non-smart-break LOCA vities)
SMP2 Internal Containment Recirculation-Fault Tree (Sensiti-Sump Injection, one of one inj ection vities) line (smart-break LOCA)
SMTBR Smart Break LOCA Probability Probability Estimate WRC Water Recirculation (return of fluid Simplified Fault Tree condensed on interior containment shell to the IRWST)
Appendix P2 (proprietary document) contains the fault trees developed for the various systems.
The systematic modular logic approach described in NUREG/CR-3268, " Modular Fault Tree Analysis Procedures Guide" (30), was used for guidance in constructing the various fault trees, to enhance completeness of the analysis.
As has been discussed, when fault tree development for AP600 passive and other accident mitigating systems began, the Westinghouse AP600 Plant Description Report (PDR) dated January 1989 served as the only system information source.
Design change or clarification information was incorporated as it was learned.
The passive system changes were discussed in Section 3.2.
In addition, non-safety active systems were significantly changed from the January 1989 PDR to July 1991. For example, a non-safety Normal Residual Heat Removal (NRHR) system has been incorporated in the design.
It should be emphasized that, even with the PDR and design change information, assumptions about the detailed characteristics and performance of the systems were required.
An effort has been made, where possible, to verify these 3-40
t casumptions with the designer. However, there are undoubtedly deficiencies in j
certain of the assumptions, dictating that caution be used when viewing the AP600 design information and analysis results in this report.
- In developing the system fault trees, common cause basic events for like redundant components within a system were included.
Common cause events are
-indicated mainly for valves which must change state, such as air-operated, motor-cperated, or check valves, or for air-or motor-operated valves which are
- nsraally open but fail closed.
Common cause events are also included for.
1 (normally open) valve-plugging events.
i i
Piping ruptures are considered'as initiating events (IhCAs), but pipe. ruptures f
during system response were not modeled explicitly on the fault trees. Section j
5.2 of Reference [30] discusses the difficulty associated with including the piping ruptures directly within the fault trees (greatly increased complexity of l
the trees), and justifies exclusion of these events using the argument that l
piping rupture is a very low probability event.in response situations.
l In the.next section, the event nomenclature and the general assumptions which cpply across the various fault trees are presented.
The subsequent sections i
present, for each fault tree model, a simplified schematic and description of the l
cystem, and tree-specific modeling assumptions.
In the simplified system-drawings, initial valve states are as indicated. Success criteria information and certain system specifics are contained in Appendix P1, and Appendix P2.
contains the individual fault trees, in alphabetical order.
Both of these cppendices contain proprietary information, and are in a ' separate, limited distribution volume.
'i 3.3.2 General Fault Tree Modeling Assumptions 1
This section lists modeling assumptions which generally apply to all the fault
{
trees contained in Appendix P2.
j i
Diversion paths of one-quarter diameter or less of the main flow path were e
considered not to significantly affect system performance, and were not included on system models. This is more conservative than the assumption used in the Surry NUREG/CR-4550 analysis [3), which eliminated all j
diversion paths less than one-third the main pipe diameter.
In general, diversion paths without credible fluid sinks, or. paths which require probabilistically insignificant combinations of valve failures, were
. excluded from the models.
f
}
Due to the short fault exposure times and level indications, faults leading -
e to level reduction in the various tanks (ACC, CMT, In-containment Refueling.
Water Storage Tank (IRWST or IRT), and the Passive Containment Cooling Water Storage Tank (PCCWST)) were not postulated.
Only demand type l
failures were considered for these tanks.
l r
[
3-41 I
t
Flow blockage of piping segments not containing components was considered to be negligible, and bounded by blockages associated with components such as valves or tank suction (which were considered) in other parts of the system.
Unavailability due to test and maintenance was not considered for safety system components based on vendor information regarding expected test and maintenance practices for the safety systems.
Our understanding is that maintenance will not be performed on safety systems during power operation, and that testing will involve stroking valves to the active position, thus not contributing to unavailability. Testing and maintenance of non-safety components, such as pumps, have been included in the active system models.
For valves which receive a signal to change to active state upon an initiator, mispositioning of the valve (e.g. normally open valve left closed) due to operator error (i.e. failure to restore after test and maintenance) was considered negligible.
Loss of control power or other support system to safety system valve operators was not modeled in the trees since these valve: " fail-safe" on loss of these supports (2).
One exception here is the depressurization system, for which the valves fail "as is."
Control circuit faults (interface between valve and control power / actuation systems) are not modeled separately but are considered to be included under the event "No Actuation Signal." (PRHR air-operated control valves are the exception to this.)
Common cause faults associated with series check valves failing to prevent backflow (flow diversion events) are not considered in the models.
The combinations of single check valve failures necessary to cause flow diversion are modeled where considered probabilistically significant.
The followinc apply oniv to the Normal Residual Heat Removal and Startuo Feedwater Systems:
Faults related to lubrication systems for the NRHR and SW pumps have not l
been included as separate events, but can be considered part of the j
failure-to-run events.
Dependency on chilled water (room cooling) is not considered in the fault tree models for NRHR or SW, due to lack of information.
Test and maintenance unavailability for stop check valves and for other system check valves were neglected.
Normally open stop check valves are modeled as simple check valves in these trees. A higher unavailability is 3-42 o
I assigned to the stop check. valves versus standard check valves, as discussed in the data analysis description, Section 3.5.
i 3.3.3 System, Component, and Event Identifiers Naming of events in the fault trees is as per NUREG/CR-4550 Vol. 1 [4):
SYS-CMP-FM-IDENT
+
i where SYS is a three-character system identifier, CMP is a three-character event i
component type identifier, FM is a two-character code for failure mode, and IDENT is a five-character event / component descriptor. Keys to the identifiers used in j
the fault trees follow. This section is duplicated in the proprietary Appendix P1 for clarity.
SYSTEM IDENTIFIERS (SYS) i ACC Accumulators ACP AC Power Supply System l
t CMT Core Makeup Tanks
\\
DEP Depressurization System ECC External Containment Cooling (passive water injection or active alternate (Firewater) injection with operator actuation) i i
IRT In-Containment Refueling Water Storage Tank Injection I
NRH Normal Residual Heat Removal System PRH Passive Residual Heat Removal System
.SFW Startup Feedwater System SMP Sump Injection WRC Water Recirculation i
i
~
1
+
t i
b 3-43 I
f
k.
L EVENT and COMPONENT TYPE IDENTIFIERS (CMP)
Valves:
ADV Air-Operated Valve CKV Check Valve (also used for Stop Check Valves)
MOV Motor-Operated Valve XVM Manual Valve BAT. Battery BUS AC or DC Buswork CBR(or CRB) Circuit Breaker CCF Common Cause Fault i
CHG Charger DGN Diesel Cenerator HTX Heat Exchanger FLR Flow Restriction
)
ICC Instrumentation / Control Circuit MCC Motor Control Center (electric power models)
MDP Motor-Driven Pump TFM Transformer TNK Tank XHE Human Error FAILURE MODE CODES (FM)
Valves:
I CO Normally Closed, Fails Open OC Normally Open, Fails Closed 00 Normally Open, Fails Open (Fails to Open on Demand)
FT Fails to Transfer FA Actuation Failure 3-44
~ FO Human Error:
Failure to Operate FR Failure to Continue Running FS
' Failure to Start HW Hardware Failure LK Leakage
' LP Loss of or No Electric Power MA Maintenance Unavailability PG Plugging RE Fail to Restore After Test or Maintenance TM Test and Maintenance Unavailability UE Undeveloped Event 3.3.4 ' Individual Fault Tree Descriptions In this section, the individual fault tree assumptions and system descriptions end simplified drawings are presented. The brief system descriptions are first, followed by discussion of system-specific fault tree modeling assumptions.
A 1
simplified schematic of the system is also presented, indicating the location of piping segments referred to in the fault trees. The system schematics for CMT, IRWST, and Sump Injection contain proprietary design details.
Non-proprietary varsions of the CMT, IRWST, and Sump Injection schematics are provided in this esction.
These are provided to give the reader an understanding of the system cperation, but several of the valving configurations are different from the d3 sign version modeled.
Appendix P1 contains the proprietary schematics for these three systems, as well as the same non-proprietary schematics presented in this section for the remaining systems.
All success criteria assumptions, because they are based on Westinghouse success j
criteria, are proprietary and are contained in Table Pl-1 in Appendix P1, Section Pl.2. The term " base case" throughout this report refers to the success criteria l
dsrived from our understanding of Westinghouse PRA information, current as of July 1991. The Westinghouse success criteria information was used because the scope of the Phase 1 calculations did not include thermal-hydraulic calculations to support independent success criteria development.
These base-case success criteria simply form a starting point to investigate the impact of more rsstrictive success criteria which may apply due to uncertainties in the natural l
i 3-45 i
- ~, - -
,--...~-r.
f processes involved in passive system operation.
Sensitivity to the success criteria assumptions is investigated in Section 3.6.
3.3.4.1 Accumulator (ACC)
Two accumulators are incorporated in the AP600 design. Figure 3.3-1 provides a simplified schematic of the accumulator system.
The accumulator design is similar to those in current-generation PWRs:
the accumulators are pressurized nitrogen overgas.
This is their only at approximately 700 psig with a dependency. As mentioned above for level indication, this support is not modeled
)
based on the instrumentation and short fault exposure times.
ASSUMPTIONS:
The relief valve on each accumulator is not considered a credible diversion path, due to its size.
Diversion from ACC to CMT is not considered credible because of the number of valve failures required and lack of credible fluid sink.
Pipe rupture
" prior" to these valves would be a " smart-break" IDCA, and is assumed to take out the affected train of the system.
Diversion to IRWST includes two check valve failures, and has been modeled since IRWST itself provides a fluid sink. Diversion to sump would require additional check valve or other valve failures, and is considered negligible.
Pipe ruptures prior to these valves would be defined as a smart-break LOCA.
3.3.4.2 AC Power Support System (ACP)
The portions of the AC Power support system relevant to this analysis are depicted in Figure 3.3-2.
Buswork failures, circuit breaker failures, and t
transformer failures were modeled for this support system.
Off-site power is represented as a single event on the tree, to represent random loss of off-site power (LOSP) occurring with another transient or LOCA initiator.
For the IDSP event tree sequence calculations, appropriate events in the tree were set to be ignored by IRRAS (those involving normal or alternate off-site power sources or applicable components). This system supplies power to the motor-driven pumps in the NRHR and SFW systems.
This tree is coupled to the DC power support system fault trees described in Section 3.3.4.4, through the chargers. Common cause failure of diesel generators and batteries are the only common cause events on the AC and DC power trees.
Actuation failures for the diesel generators were considered to be included under the failure to start event.
3-46
Figure 3.3-1. Accumulator System Simplified Drawing From Nitrogen From Nitrogen
,_ _ Support System Support System i
T001A T001B Y
O From Core From Core j
Makeup Tank Makeup Tank NJ N)
O o
c V027A M $
PS3 PS4 Mha PSI PS2 PS5 PS6 From IRWST/
From IRWST/
Sump Sump 1
- c
=-
r r-i-v
v=""
acam ('
sesz (i..= (
"= (r ""(r se o
a me o,.x (i.mx (. -
=,,== (I,== (I
=,to, C
=
m ma(,.
,g('
,em i
.=
o'=
,,, - ~
v,x emo - _
om= (
==v (
.-= (1
== (,
i i
a m.,,- C a== C'==(
==(
==(
-(
==(
==(
l muma" ~
v
,-cx "y m 1'
'* T CO
==
v=
Su!ssJa pe!;!ldw!s metsAs Jemod OV 'B-C'S eJn6 d
3.3.4.3 Core Makeun Tank (CMT) i l
The core makeup tanks are completely filled with borated fluid, and inject upon cetuation of their normelly-closed air operated valves in the injection and cold I
leg pressure-equalization lines.
A simplified schematic, which contains proprietary design details, is presented in Figure F1-3 in Appendix Pl.
Figure 3.3-3 provides a non-proprietary depiction of the CMTs; the design change I
rspresented in the proprietary schematic involves some minor injection line valve I
changes.
l The gravity head in the tanks provides the driving force for their injection, cfter pressure at the top of the tanks is equalized via a line from the cold logs.
(The pressurizer line indicated in Figure 3.1-3 only serves to prevent otresses on the system when actuated; it is not sized for providing adequate squalization during events requiring.large amounts of makeup such as LOCAs.) The fcur A0Vs associated with each CMT fail open on loss of control power or air.
Ao such, the only " support" necessary for the system is an actuation signal.
This has been modeled as a basic event on the fault trees for the system.
ASSUMPTIONS:
1 o
Diversion from CMT to ACC is not considered credible because of valves (two check) and lack of credible fluid si'k.
Pipe rupture " prior" to these n
valves would be a " smart-break" LOCA, and is assumed to take out the affected train of the system.
As mentioned above, the pressure equalization line from the pressurizer has not been modeled. This is based on design information that indicates the line only serves to prevent stresses (thermal or otherwise) upon CMT actuation, and is not sized large enough to provide the pressure equalization function for the larger makeup events and operation modes of interest for the CMTs in this analysis.
3.3.4.4 DC Power Supply System (DCP)
Figure 3.3 4 provides a simplified schematic of the relevant portions of the DC Power Supply System. The DCP system is coupled to the AC Power system described in Section 3.3.4.2, through a system of battery chargers. The figure indicates one " channel" or division of DCP support, typical of four. This system supplies various MOVs for the DEP, NRHR, and WRC systems, and control power for A0Vs in the SFW and DEP systems. Buswork, circuit breaker, battery, and charger failures cre considered in the DCP models. Common cause failures of batteries only are included.
3-49
Figure 3.3-3. Core Makeup Tank System Simplified Drawing (Non-Proprietary Version; See Appendix P1, Figure P1-3 for Design Version Analyzed) ressurtzer ressurizer Sn Sn From RCS From RCS n
a I
n n
4 M Leg mg
'r r
ir 9-9.
w From From Accumulator Accumulator r
Mr h_
-t_+&-
From IRWST/
FromIRWST/
Sump Sump l
Figure 3.3-4. DC Power System Simplified Drawing, Typical of 4 DP141 I
i
- 1) wan
- 1) we.
^
C cng 1-1 Z
BAM4 ban-2 C
cho 1-2 Z
T)ms4A T) ocm I
n I
usv w = =
I 1
nsv De e.1 A I
DC WCA DC DP1 DC OS AOV Seenous 4
4 l
r m
=.
l 3.3.4.5 Depressurization System (DEP)
The autr>matic depressurization system (ADS or DEP) for the AP600 is configured in four stages (to relieve stress on the IRWST, to which the first three stages are sparged). This is shown in Figure 3.3-5.
The auto-actuation of each stage is based on CMT level setpoints.
DE2 can also be actuated manually by the operator, for feed and bleed cooling (whereby the CMTs and DEP systems are actuated by the operator as a backup means of cooling), or for when the CMTs have failed to inject (thus failing auto-actuation of the DEP system).
The fault and event tree identifiers for the DEP system are DEP1, DEP2, DEP3, DEP4, DEP02, DEP03, and DEPO 4.
The first four denote differing success criteria, I
for large (DEP1), medium (DEP2), and small (DEP3) 1DCAs, and for partial depressurization (DEP4) to allow the use of the active backup cooling system, NRHR. The latter three, with the "0" added, involve an operator actuation event combined with the appropriate (DEP2, DEP3, DEP4) success criteria for component failures. The specific success criteria are presented in Table Pl-1 of Appendix Pl.
Supports for the DEP system include DC power, compressed air supply, and actuation. DC power support is modeled in detail, whereas the actuation support is considered as a single event (which for simplification purposes is also t
assumed to include air support for the fourth AOV DEP stage).
ASSUMPTIONS:
The relief valves (V005A and V005B) were not modeled since they could only enhance depressurization system performance.
Sparger problems were not considered significant and were not modeled.
This fault tree was not constructed on a pipe-sebment basis, as strict application of modular logic (see discussion at tr e beginning of this j
section) would involve. The gates are in terms of valve faults only. This does not affect the completeness of the tree.
i 3-52
Figure 3.3-5. Depressurization System Simplified Drawing
- 5^ h 3
Stage 1A V001A V0018
> To IRWST
'4 Stage 2A 7
Stage 1B w
> To IRWST 4
Stage 2B 7002c v0020
'@s RCS Hot Lag B Stage 3B Tool V
Pressurizer Air Air b
b Stage 4A hI h(
> Containment V004A V0048 Air Air b
b Stage 48
> = aa =
To NRH System
)
i 3.3.4.6 External Containment Cooline (ECC)
The external containment cooling system, depicted in Figure 3.3-6, involves a combination of air and evaporative cooling of the containment shell exterior.
The fault tree analysis of this system involves only the component failures in the water spray portion of the system, since no components (e.g. air dampers) must operate for the air cooling process.
The ECC model involves injection of PCCr.ST contents to the exterior surface of the containment shell, or operator action to align the alternate injection system (Firewater). The Firewater / alternate eater source event has been modeled as an undeveloped event which includes tb operator action and component failures.
i This was necessary because no system information was available on the firewater or alternate water systems for the AP600.
The only support needed for the passive water spray is an actuation signal to the fail-open A0Vs, which has been modeled as a basic event on the fault tree.
3.3.4.7 In-Containment Refueline Water Storace Tank Iniection (IRT) 1 The IRWST provides passive, low pressure injection to the reactor vessel..The large tank has a line to each DVI, and injects by gravity after full reactor depressurization, to near containment-atmospheric.
Long term heat removal is
+
provided passively, in combination with Water Recirculation (WRC, Section 3.3.4.12).
Here, steam which has exited the RCS from a break or via the DEP i
system condenses on the inside containment shell and returns to the IRWST through l
a gutter arrangement. The WRC drain valves on the gutter close to ensure that the fluid drains to the IRWST and not the sump.
The fluid is then ultimately delivered to the RCS,
[
The simplified schematic for the IRWST contains proprietary design details and is included in Appendix P1 as Figure F1-7.
Figure 3.3-7 provides a non-
+
proprietary version of the IRWST system drawing.
The newer design version indicated in Figure F1-7 has a different check valve arrangement on the injection lines, versus the earlier design. Only check valves change state when the system j
operation is initiated after RCS pressure drops to near containment, so no supports are needed.
l ASSUMPTIONS:
l Diversion to the NRHR system is not included in the model because of the normally closed valves which would need to fail, and because no credible fluid sink exists. Even with the NRHR pumps running, the worst that would occur is return of the fluid to the IRWST.
Diversion to the ACC and CMT is not credible due to valve alignments and lack of a fluid sink.
i l
\\
Diversion of flow to the Sump is considered by modeling failure of the appropriate check valves and other normally closed valves.
i Plugging of the IRWST suction is considered to be covered by single and
)
common-cause plugging events for the normally open MOVs (V121A and V121B) i in each suction line, located just prior to the tank's suction points.
3-54 i
Figure 3.3-6. Extemal Containment Cooling injection System Simplified Drawing Passive Containment Cooling Water Storage Tank (PCCWST)
T001 2
From Altemate
.g 77 Water Soproe V006B h
PS1 M2 From Firewater a
m i
rm System V002A V001A V0058
-i l M
,PS2 V0028 V001B
,,,,,r I
Containment Building
Figure 3.3-7. In-Containment Refueling Water Storage Tank (IRWST)
Injection Simplified Drawing (Non-Proprietary Version; See Appendix P1, Figure P1-7 for Design Version Modeled) lRWST LJ LJ From Sump From Sump n
a injection Une Injection Une ir
'r y
u I
To NRHR <
i o
o i
i From Reactor From O
Core Makeup Tank Core Makeup Tank O
q; Vessel d
aM hnwlator Safetyinjec6on Une Safetyinjection Une 1
... m.
m
3.3.4.8 Normal Residual Heat Removal System (NRH)
The NRHR system is an active non-safety system which provides backup to the p:ssive safety systems in certain accident scenarios. The system is depicted in Figure 3.3-8.
The NRHR is capable of performing two separate functions, denoted NRH1 and NRH2 on the fault and event trees. NRH1 involves recirculation of the RCS coolant, by drawing from the RCS hot leg, transferring heat to the component c:oling water system via the NRHR heat exchangers, and returning the cooled fluid to the RCS directly.
This mode of NRHR requires partial reactor system depressurization.
NRH2 is an IRWST injection and recirculation function, used when passive IRWST injectio.n has failed.
The NRHR is manually aligned to deliver fluid from the IRWST to the RCS.
First it injects the contents of the IRWST, then fluid lost from the RCS in the form of steam condenses on the interior containment walls and drains via a gutter arrangement to the IRWST. The EEUUt continues to pump this ccndensed fluid to the RCS in mode NRH2.
The supports for b5 gut are AC power for the motor-driven pumps (MDPs), DC power fsr the MOVs, and component cooling water for the heat exchangers. In addition, cperator action is necessary to align the system for the appropriate mode of operation. This is discussed further in Section 3.5.2.
In the NRHR fault tree cadels, actuation faults for valves / pumps have not been included because of the cpsrator actions required.
i 1
ASSUMPTIONS:
The relief valve is not modeled as a diversion path for NRH2, since it discharges to the IRUST.
For NRH1, this path is neglected as a possible diversion path based on relief valve line size, pressure setpoint versus system operating pressure, and expected likelihood of spurious opening of the valve.
The failure rate for spurious opening of a relief valve is about SE-5 over 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, based on information in the NUREG/CR-4550 i
database (vol. 1).
This is much less than the failure contribution from operator failure to align the system.
The Chemical and Volume Control System (CVCS) connection to NRHR is not considered a credible diversion path.
Two normally closed manual valves prevent the diversion, and no significant fluid sink exists within the CVCS. The piping ratings for two systems near the interface are similar, so that a pipe-rupture type diversion is thought to be negligible.
Diversion through pipe segments 2 and 3 for NRH2 is not credible since these lead to the RCS.
Component Cooling Water support to the NRHR pumps has not been explicitly indicated on the fault trees, because of a lack of information regarding how long the pumps can operate without such cooling. This unavailability, if it applies, is assumed to be accounted for in the failure-to-run event probability included on the tree.
3-57
Failure to restore normally open MOVs V004A/B and V0li after test or i
maintenance is not considered as a failure mode since any test for operability of the system following maintenance would involve opening of the valves.
3.3.4.9 Passive Residual Heat Removal System (PRH)
The PRHR system, shown in Figure 3.3-9, provides passive decay heat removal for transient initiating events, after failure of main and startup feedwater (non-safety active systems). The system is actuated by opening of control A0Vs V108A or V108B. Heat removal from the heat exchangers, which are located inside the
~
IRWST, is via natural circulation flow within the IRWST across the heat exchanger banks. The two A0Vs fail open on loss of support, so only an actuation signal is needed. This has been modeled on the PRHR fault tree.
ASSUMPTIONS:
i MOV V101 (normally open) receives an actuation signal upon PRHR initiation.
This eliminates the need to include an event for valve mispositioning after test and maintenance.
Valves V108A/B include a separate control circuit fault event, because these are control valves 3.3.4.10 Startuo Feedwater System (SFW) i' Startup Feedwater is a non-safety active system normally used at low powers when the plant is shutting down for refueling or another planned outage. The system is also used in response to transient initiators, when main (normal) feedwater is not available.
Figure 3.3-10 provides the simplified schematic for the startup feedwater system.
As can be seen, it is similar to the safety-grade auxiliary feedwater system of current-generation PWRs. The two MDPs draw fluid from two tanks, the Deaerator Storage Tank (DST), and the Condensate Storage Tank (CST), and deliver it to the SGs.
Support for the SFW system includes AC power for the MDPs, and DC control power for the AOVs.
ASSUMPTIONS:
Both the Deserator Storage Tank and the CST are needed to meet the fluid i
supply needs over the SFW mission time.
Our understanding is that these two tanks provide adequate water supply for the mission time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
An undeveloped event: " Tanks' Water Supply Insufficient" is added to model, as is done for CSTs in current-plant PRAs.
Test and Maintenance (T&M) has been modeled only for the air-operated control valves and the motor-driven pumps (MDPs). T&M unavailability for the deaerator and condensate storage tanks is not explicitly modeled on the tree, but can be considered as included under the undeveloped event:
" Tanks' Water Supply Insufficient".
4 3-58
Figure 3.3-8. Normal Residual Heat Removal System Simplified Drawing i i IRWST 4
V010 4
) k From IRWST Injection une"A" l
PS11 p
V011 To CVCS l
-e.-
CCWS PS6 4
]
PS9 ToIRWST
= L-1 r, a w a
=
=
,,PS1 D
75A H001A p
A M-L J A J 3
U r m ir ir 7
,7 i
PS12 PS10 PS7 V004A V003 V002A V001A P001A PSS PS2 Hot taa
-e-CCWS
,V008A
,V0088
+
]l Q
,V009A V0098
'J V005B H001B 003 5003 V
V V004B P001B g
To DVI To DVI PS8 "A"
"B' 1
Figure 3.3-9. Passive Residual Heat Removal System Simplified Drawing PS2
><1 m=
V102 O
(
V101 V103 PS4 HX001 HX002 HX003
[
eressurizer V10s v10e v107 Sgg
=
PS5 g
PS6 O
V108A l
a Hot Leg O
O 53088 PS7 PS8
Lt L;
~
Figure 3.3-10. Startup Feedwater System Simplified Drawing From Dooerator 1
and Condensate
[ DemeratorStorage )l l
Tank N
Y v02s From Condensate Storage Tank
\\"
O PS8 PS7 M
hQ To SG A
_h( lU l
V052 vae psi e=2^
3, pp u
PS6 To M B
- c :( ], w
- v=B ma V
va8 eS2 P002B PSS
Mispositioning of valves after test or maintenance is considered insignificant compared to other failures, generally because demonstration of system operability after a test or maintenance activity will apparently involve proper valve configuration.
Air-operated valves V255A and V255B are modeled with loss of instrument air and loss of control power as common failure events.
Actuation failure events are included in the tree where applicable, but are generally modeled as beln6 a common cause-type failure for like components, in that separate actuation events are not included for each component.
Plugging of the normally open A0Vs (V255A and V255B) is neglected, but the normally open manual valves include such a failure mode. The A0V " Failure to Remain Open" event includes spurious closure of the valve not caused by loss of instrument air or control power.
Plugging of the Condensate and Deaerator Storage Tanks is considered to be covered by the plugging event for the normally open manual valves (V025 and V053) in each suction 'line, located just prior to each tank's suction j
point.
j l
The SFW motor-driven pumps have " mechanical seals" according to vendor design information, so that component cooling water is not needed for this j
system.
3.3.4.11 Internal Containment Recirculation / Sumo Iniection (SMP)
The sump injection system provides a backup to the IRWST injection and WRC (next subsection) for sensitivity calculations as to the success criteria. The base-case success criteria do not include this system.
Here, fluid which has I
collected in the sump, possibly through URC failure, injects by Sravity flow to the RCS through the DVIs. The simplified schematic for SMP contains proprietary design details, and is included in Appendix P1 as Figure Pl-11.
An earlier version of the design which is not proprietary is shown in Figure 3.3-11.
The newer design version incorporates different valve arrangements in the sump suction lines.
ASSUMPTIONS:
No credible diversion paths were found for sump injection due to valve alignments and lack of fluid driving force (gravity injection from low l
point in containment).
Source of fluid in the sump is not explicitly modeled in the fault tree, because it is a natural process (containment internal recirculation flow) which delivers the fluid to the sump.
i 3-62
Figure 3.3-11. Sump Injection Simplified Drawing (Non-Proprieta.7 Version; See Appendix P1, Figure P1-11 for Design Version Modeled)
From IRWST FromIRWST O
O; i
I t j
t i
To NRHR q w
b a
l 1.
l From Reactor From Core Makeup Tank O
Vessel O
Core Makeup Tank and hmulator Safetyinjeccon Une Safetyinjection Une and h h i
I i
. u
.....m.
---.v-se r-e-o-.
.s
~
m r-.
F 3.3.4.12 Water Recirculation System (WRC)
The water recirculation system consists of normally open valves. which are attached to the drain arrangement that delivers the condensed fluid from the
. interior containment shell to the IRWST. When open, the valves direct the fluid b3 the sump instead of the IRWST. The valves receive a signal to close so that the condensed fluid will drain to the IRWST.
The simple fault tree for the water recirculation valves includes the rather conservative common-cause type actuation failure event, because of lack of information about the actuation for this system.
As the discussion of basic event importance indicates in Section 3.6, this actuation event shows up as being very important for the base case calculation, possibly wrongly so because of the conservative modeling usumption.
From a strictly level 1 PRA (core damage frequency) standpoint, it would appear more beneficial to have the valves normally closed.
However, if one considers Level 2 and Level 3 (accident progression and consequences) insights, the normally open status could well be justified. Operator recovery of this system may be likely as well.
It should be noted that, after the full base-case and success criteria sensitivity calculations were performed (Section 3.6), a non-conservative error involving the support system indicated in the WRC fault tree was found (see the fault tree in Appendix P2).
A recalculation using a corrected fault tree was performed to investigate the impact of the error.
There was no change in the mean point estimate core damage frequency, providing some confidence that the error was insignificant to the results of the numerous calculations.
3.4 Event Tree Develooment This section, together with the proprietary Appendix P3, present and discuss the base-case event tree analysis for this study.
The methodology for event tree development is presented in Section 2.2.2.
Section 3.4.1 discusses the scope of the analysis,. and Section 3.4.2 provides a general, non-proprietary discussion of the structure and assumptions in the event trees. More detailed descriptions for each tree, and the trees themselves, are presented in Appendix P3.
3.4.1 Event Tree Analysis Scope The scope of the Phase 1 analysis did not include thermal-hydraulic code calculations to support success criteria definition. Therefore, the event trees presented here are based on the success assumptions and tree structure of the event trees included in the PDR as well as on information obtained through July 1991 on the latest Westinghouse PRA assumptions. As such, these trees represent a best estimate for Westinghouse success criteria, or " base case", for this study.
These success criteria are a starting point for investigation of the potential impact on mean core damage frequency due to uncertainties in the natural processes. As discussed in the methodology section, the uncertainties in the passive system processes can be translated to uncertainties in the success criteria which apply for a system. More event trees, representing sensitivities as to the success criteria, are discussed in Section 3.6.
The trees have been developed at the system level.
3-64
The event trees in this analysis are developed to evaluate the potential for core damage; containment status is only included where it is necessary to prevent core damage because no consequence analyses are planned in combination with this study ct this time.
Sensitivity calculations regarding containment systems not included for the base case (in this case, ECC) are discussed in Section 3.6.
A: _is discussed in Section 2.2.2, only the emergency cooling and decay heat l
removal functions are represented on these event trees. Therefore, no top events rolated to reactor shutdown, and no Anticipated Transient Without SCRAM (ATWS) l tree, are included.
Seven initiators are evaluated, selected based on the initiators analyzed in chapter 12 of the PDR:
SIDCA:
Small Loss-of-Coolant Accident MLOCA:
Medium Ioss-of-Coolant Accident LLOCA:
Large Loss-of-Coolant Accident i
TWMF:
Transient With Main Feedwater Available TWOMF:
Transient Without Main Feedwater Available MSP:
Loss of Off-Site Power SGTR:
Steam Generator Tube Rupture.
The initiators and their frequencies are discussed further in Section 3.5.
It chould be noted that a subset of the small LOCAs can be handled via the normal chemical and volume control system (CVCS). This system has not been incorporated in this study.
All small LOCAs are conservatively analyzed together, without credit for normal CVCS.
This is not expected to change the overall results significantly.
3.4.2 Event Tree Structure The event tree top events or headings are presented in the previous section in Tcble 3.3-1.
This table includes all the top event headings and brief dsscriptions, with more extensive system information included in each system dascription of Section 3.3.4.
The success criteria, and thus the structure of the event trees, are proprietary because they are based on Westinghouse-developed j
cuccess criteria. Discussions of assumptions and sequences for each event tree, cc well as graphical representations of each tree are therefore contained in proprietary Appendix P3.
To provide a general understanding of the structure of the trees for readers without access to Appendix P3, several observations can be made.
The cccumulators and core makeup tanks are high pressure injection systems used in j
response to IhCAs.
These systems also appear on transient trees as part of a "fsed-and-bleed" cooling mode, together with the depressurization system. The IRWST is the long-term, low pressure inj ection system which appears on the various LOCA trees, and on transient trees following feed-and-bleed cooling.
l This system requires full depressurization to operate, because its only driving l
force is the gravity head of the fluid in the tank.
If IRWST injection by grcvity fails, or full depressurization is not attained, the NRER system can cligned to actively inject the contents of the tank.
I Longer term, passive heat removal involves steaming to containment, either from j
tha IRWST, the DEP system, or from a LOCA break location. With cooling at the l
3-65
exterior of the containment shell (air or evaporative), the steam condenses and drains via a system of weirs to the IRWST, provided that the water recirculation valves are closed.
This fluid is then available for injection to the RCS.
If the WRC valves are open, this collected fluid drains to the containment sump instead. Direct sump injection lines are available to allow this fluid to flow into the RCS, although credit is not taken for this mode in the base-case calculations.
As one might expect, some degree of containment integrity is required for this containment recirculation process so that the steam and fluid are not diverted out of the containment.
For response to transients, the non-safety active main and startup feedwater systems are called upon first. If these fail, PRHR is used. The feed-and-bleed cooling mode mentioned above is used if PRHR is unsuccessful.
Also, the NRHR system can be aligned to cool the RCS after partial depressurization.
Also included in the structure of the event trees is the possibility of a " smart-break" LOCA, which involves a break in one of the direct vessel injection lines.
This event is assumed to disable the affected trains of the injection systems (e.g. CMT and ACC) delivering fluid to that line.
In order to investigate the level of conservatism in the base-case success assumptions, two slightly less conservative sets of success criteria were examined.
These were distinguished on the event trees with the outcome identifiers "TBD-1" and "TBD-2," as opposed to "CD" for core damage or "OK" for aversion of core damage.
It should be emphasized that no thermal-hydraulic calculations have been performed to verify these sequence outcomes; they are based solely on analyst judgement using Westinghouse information.
These cases were selected for examination because they seemed plausible. TBD-1 involves the use of sump injection after failure of VRC (see discussion above), and TBD-2 involves the use of NRHR in two separate backup modes, inj ection and cooling.
This case is thought to be somewhat less plausible than TBD-1 because it involves two distinct operator actions, whereas sump inj ection would be completely automatic.
The mission time has in general been assumed to be 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, and sequences are terminated after reaching a " stable" long term cooling mode.
(In fact, time scales of three days or more are expected before emptying the PCCWST, and boiling off the ILWST when used to cool the PRHR heat exchangers.
This provides ample opportunity for replenishment.)
The individual event trees and a discussion of each are presented in Appendix P3.
3.5 Data. Dependent Failure. and Human Reliability Analyses This section describes the data analysis task, including common cause and human reliability analyses, performad to obtain values for the basic events in the fault trees, selected top events in the event trees, or initiator values.
The intent for the dependent failure and human reliability analyses was that they be performed at an intermediate level of depth, not at a detailed level.
The analyses should not be overly conservative, such that they would inaccurately drive the overall results; however, resource and design information limitations dictated that these analyses could not be in-depth.
3-66
In this section, the database development task is first described, including the common cause anslysis.
This is followed by a brief discussion of initiating cvent values used in the analysis, and next the human reliability analysis is
. presented.
Finally, a discussion of some special data issues, such as check valve operation at low pressures, is presented.
A2 with the previous two sections (3.3 and 3.4), certain portions of this section cantain information that is considered proprietary because it reveals W2stinghouse proprietary design details or success criteria. This proprietary information has been extracted and placed in the proprietary Appendix P4.
3.5.1 Database Development The database development task involves determining appropriate values for use in.
the quantification of the fault and event trees. This includes values for basic events related to hardware failures, as well as system reliability estimates for those systems not modeled in detail in the fault tree analysis task.
As one night expect, many analogies to current-generation reactor components and systems hc4 to be drawn in the analysis of this advanced light water reactor. This is not unreasonable, because one of the premises of the AP600 design is that it draws as much as possible on current plant technology for its hardware. Indeed, for the July 1991 AP600 design version, a majority of components such as valves cre off-the-shelf, current plant designs.
This reduces a great deal of the uncertainty associated with their failure rates except, perhaps, where they are utilized in new environments, such as in passive systems.
Section 3.5.5 discusses some of these issues.
Table P4-1 in proprietary Appendix P4 presents the complete database used for this analysis.
Included in the table are each of the basic events and other event estimates. The event name, failure rate and time, distribution type and error factor (if applicable), brief event description, and the source of the failure estimate, are listed.
A column for notes is included for those items that require further explanation; the notes are at the end of the table, along with the table references.
The common cause, initiating event, and human reliability analysis (HRA) values are discussed in sections 3.5.2, 3.5.3, and 3.5.4, respectively.
Table 3.5-1, located at the end of Section 3.5, provides a non-proprietery varsion of the data table.
In this table, any rows containing proprietary information have been removed.
This applies to certain system and human reliability estimates which were based (due to lack of information) on i
Westinghouse proprietary values. For several systems (CMT, IRWST, SMP, and WRC) cpecific components are not called out, because design details could potentially bs derived from a listing of components for each system.
For these systems, representative failure rates are identified for each component and valve type, where this will not reveal proprietary design detail.
J.5.1.1 Sources of Information for the Database As discussed above, many analogies were drawn to current plant systems and components in order to develop the AP600 database for this study. The majority of the events in the database originate from the ASEP generic database [4).
Other sources of data include IEEE-STD-500 [37), the Generic Component Data Base 3-67
for LUR and Liquid Sodium Reactors, EGG-SSRE-8875 [34), the Analysis of Core Damage Frequency for Surry Unit 1 Internal Events (NUREG/CR-4550, Volume 3) [3),
and the Analysis of Core Damage Frequency for Sequoyah Unit 1 Internal Events (NUREC/CR-4550, Volume 5) [38).
3.5.1.2 Database Assumotions In general, the time-related unavailabilities were calculated from failure rates as follows. For time intervals on the order of days (primarily 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />), the unavailability is assumed to be the failure rate multiplied by the time.
For times of weeks, conths, or years, the unavailability is calculated using one-half the failure rate multiplied by the time.
The Westinghouse PDR chapter 12 (PRA chapter) supplied data-related information in cases where adequate detailed information about a system was not available, or where a system was not modeled in detail due to resource constraints. Other instances where the generic sources mentioned in the previous subsection did not directly apply to the AP600 components and systems led to additional assumptions.
Most of these assumptions are documented in the notes of Tables 3.5-1 and P4-1 (Appendix P4). A few general assumptions are listed below.
Plugging failure due to debris in tanks is included in two ways. First, a common cause failure due to tank plugging is postulated for all valves immediately downstream of the tank, and second, random plugging of each of the tank suction valves is included. Plugging of flow restrictors was estimated using an orifice plugging value from ASEP.
For nearly all the events used in this study, a log-normal distribution is assumed to represent the uncertainty distribution on the data estimates. This is a common assumption used in many current PRAs.
Several of the events represent point estimates without uncertainty bounds applied.
These are generally events which were derived from Westinghouse data values.
l 3.5.1.3 Miscellaneous Events For three event tree top events, it is felt that the Westinghouse PDR values are most appropriate, due to the AP600-specific nature of the events together with lack of detailed information related to these events. These events are the Main Feedwater system reliability estimate; the Smart Break LOCA conditional probability, which is calculated based on the fraction of piping length associated with the safety injection lines; and the containment isolation failure probability.
SGI-0, the event involving operator isolation of a steam generator during a tube rupture event, is discussed in the HRA section, 3.5.4.
3.5.2 Dependent Failure Analysis The system failure models and analyses explicitly account for the various system dependencies such as the need for power, component cooling water, etc.
Since the AP-600 is in its design stage and thus plant-specific data on components does not exist, subtle interactions are not included in this analysis.
Based on a cursory review of the subtle interactions identified and considered in the Surry analysis, it was determined that in general the type of detailed information 3-68
t l
needed for such an analysis is not available for the AP600 conceptual design as af July 1991.
Two forms of dependencies are considered in this analysis:
direct functional d;pendencies and common cause.
The following subsections address each of the l
tcsks performed as part of the dependent failure analysis.
l l
3.5.2.1 Direct Functional Dependencies i
(
Direct dependencies represent the dependency of a system on other systems to p2rform its intended function, or the direct effect of an initiating event on eystem performance. Generally these dependencies include:
(1)
Initiators -- This category includes the effects of events which cause a plant transient and affect the likelihood of mitigating system performance. The svents either cause the system failure or increase the system's probability of failure. This category was included for the AC power dependency for LOSP events, cnd the division of transients into categories with and without main feedwater.
(2)
Support System Dependencies For successful operation, most of the front-line passive systems (e.g.,
CMT, IRT, etc.) do not depend on support systems. These systems contain fail-safe valves, and only an actuation signal 10 needed to support their operation. A few non-safety systems that can be used fer accident response do depend on support systems, such as electrical power or air supply. These explicit dependencies are included in the logic models of the cystems as basic events. For example, the dependency of the Normal Residual Heat R:moval System on the Component Cooling Water System (CCWS) is represented as the undeveloped basic event NRH-HIX-UE-CCWS in the system fault tree.
(A system failure estimate for CCWS is applied to this undeveloped event.)
(3) Shared-Equipment Dependencies -- When failed, components that are utilized by multiple systems can potentially fail the affected systems. Components that
{
cre shared by several AP-600 systems were identified and are represented in the eystem fault trees; the main case of this dependency is the shared injection lines for IRT and SMP.
3.5.2.2 Common-Cause Analysis j
l A common-cause event is defined as the simultaneous failure or unavailability of i
tore than one component due to some shared cause.
For this analysis, numerous common-cause failures have been represented in the system fault trees as basic events. Common-cause failures across system boundaries were not modeled. Beta factors were applied within a system to redundant, identical components and identical failure modes.
i l
The quantification of common-cause failure probabilities was based on the rathodology and values of NUREG/CR-2770 [39] and NUREG/CR-4550 (which is based en EPRI NP-3967). The primary model used in this study was a combination of the bsta factor model and the binomial failure rate (BFR). The beta factor model was chosen for common-cause events that involtad the loss of two out of two components (e.g., ACC-CCF-OC-027AB, which represents the failure of ACC MOVs V027A/B to remain open). Beta factors for two-component failures are presented in Table 3.5-2.
i l
3-69 l
U l
1 TABLE 3.5-2.
Beta Factor Summary DESCRIPTION BETA SOURCE EACTOR Beta for CCFailure of 2 MOVs 8.80E-2 ASEP Beta for CCFailure of 2 CKVs 1.44E-1 NUREG/CR-2770 Beta for CCFailure of 2 A0Vs 1.00E-1 ASEP Beta for CCFailure of 2 MDPs 2.10E-1 ASEP For higher order common-cause events involving k
components (e.g.,
CMT-CCF-PT-145AB which represents the failure of CMT A0Vs V014A&B and V015A&B to open) the corresponding beta factors were calculated using the following equation:
(beta-factor), - (beta-factor),
- r /r, o
where:
(beta-factor), represents the beta factor for the common cause failure of exactly k components in a group of size n; (beta-factor), represents the beta factor for two-out-of-two events; r is the rate at which a specific set of k components becomes inoperable simultaneously due to a common cause; and r, is r, with k-2.
This equation appears in NUREG/CR-4550 Vol. 1 [4), page 6-9.
The multiple failures of interest are all valve failuras, and Atwood's report on valves, NUREG/CR-2770 [39), is used extensively in these calculations.
The approach used in this study to consider common cause failure of greater than two components with varying success criteria was discussed in a letter dated January 24, 1991, from A.
C.
Payne, Jr. of Sandia National Laboratories, to Kazuhara Fujioka of the Japan Institute of Nuclear Safety. The approach can best be explained through an example used in this letter.
If one has a set of three components, A, B, and C, the probability that all three fail is given by the following equation:
P(ABC) - P(A)
- P(B)
- P(C) + P (AB)
- P(C) + P,(AC)
- P(B)
+ P,(BC)
- P(A) + P.(ABC) where:
P(X) - random failure probability of component X P,(XY) - common cause failure probability of exactly two components X and Y, and P (XYZ) - common cause failure of exactly three components.
3-70
l l
i l
l Since these are identical components, P(A) - P(B) - P(C) - X:
l P,(AB) - P.,(BC) - P,,(AC) - X$2; P.,(ABC) - X$3; and l
P(ABC) - X2 + 3X'82 +X 3
l l
Tha usual practice in a fault tree model is to drop the #2 term. If the success criteria is two-of-three instead, then two of three must fail, and a reduced sxpression for the probability of this is given by:
P(at least 2/3 fail) - Xp3 + 3Xp2 + 3X2 Th3 p, term can not be dropped in this case since it involves only a single power of X, and may be larger than the p3 term.
This example illustrates the method which was used to derive the multiple corponent, varying success criteria common cause failure probabilities in this otudy. In general, terms with beta factors combined with higher order "X" values ware dropped as insignificant. Table 3.5-3 provides a summary of the simplified expressions used to calculate the common cause probabilities for various valve corbinations and logic. The specific systems and basic events for which each of thsse expressions apply is included in Appendix P4 as Table P4-2.
The actual values for each event are listed in Table P4-1 (Appendix P4).
A problem identified in the above-mentioned letter has to do with calculation of ths B 's.
The definition in Atwood's report for r, includes the term w, the lethal shock (r.
pp*
+ w).
A lethal shock, by definition, takes out all n l
corponents, so that it should not apply to p,' s where k is less than n.
l Otherwise, double-counting of the w's occurs. Examining the original expression for.:
p - #2*(rg/r2),
using Atwood's expression for r, and r, this expression is e
B. - S2*(pp* + w)/(pp
+ w) for all k, and 2
2
- 2 - r2/r, - ( p
+ w)/(A + p + w).
If one corrects these expressions to remove double counting of w, the following expressions are obtained:
B - $2*(#P" + W)/(FP )
for k - n, 2
- a - #2* (P)
for (3 < k < n), and I
$2 - r2/r, - (pp )/( A + pp).
2 i
3-71
i TABLE 3.5-3.
Simplified Expressions for Multiple Component Common Cause Failure Events (Non-Proprietary Version)
VALVE LOGIC SIMPLIFIED EXPRESSION (X is random single
)
component failure probability)
Two redundant lines, each with Xp, + 4Xp3 + 4Xp two series valves Four redundant lines, each with Xp.
one identical valve Two of four success criteria Xp. + 4Xp3 for four parallel lines, each 1
with one identical valve Four redundant lines, each with Xp, + 16Xp (Approximated. Single X terms two series valves from to, neglected) 3 These are the expressions used to calculate the various p/s for this study, using the tabulated data for each valve type in Appendix C of Steverson and Atwood's report [39]. One exception is the check valve data, which apparently was too sparse and resulted in a very high lethal shock value relative to the random and non-lethal shock rates.
Here, the A0V values were applied.
The equations in Table Pl-2 (and Table 3.5-3) were used to derive the common cause event values included in Table P4-1.
As mentioned previously, the fault tree for each system contains, where appropriate, basic common-cause failure events. On the depressurization system fault trees, the various success criteria lead to differing logic combinations of common cause basic events. The specifics for each set of DEP success criteria are discussed in Appendix P4, Section P4.2.
One other common cause event which should be discussed is the common cause failure of the batteries. The portion of the DC power system analyzed for this study includes eight batteries. To provide a simplified estimate for this event, equation 6.5 of reference (4) was app 1' 9 This yields an effective p, of 0.206.
i 3.5.3 Initiating Event Frequencies Because the initiating event frequencies are not quantitatively part of the emergency cooling functional failure probability, it was decided to utilize the initiator frequencies calculated by Westinghouse for the AP600. The sources of Westinghouse initiating event information included the AP600 Plant Description Report, and a conference paper on the AP600 PRA [40]. The Westinghouse values were not scrutinized in depth, but rather reviewed to determine whether they seemed reasonable.
(Note:
more recent Westinghouse initiator values became available at the end of July, 1991.
These were not considered due to time constraints.) The initiator values in this study serve primarily to contribute to a relative importance of sequences in the success criteria sensitivity quantification portion (Section 3.6.2) of the program. It should be noted that an initiating event analysis for the AP600 is being undertaken as a separate but related study.
1 3-72 i
l The Westinghouse initiator values take into account differences in AP600 versus current plant designs, such as the use of canned reactor coolant pumps and the l
possibility of tube ruptures in the passive residual heat removal heat exchanger.
l The values were based on previous PRAs and past nuclear power plant operating i
experience.
In Table 3.5-4, the Westinghouse frequencies and sources are compared to those cited in the NUREG/CR-4550 methodology document [4] for the PWRs analyzed. In some cases comparison has been made to the values used for the NUREG/CR-4550 Surry analysis [3], when frequencies varied among the three PWRs enalyzed.
For quantification, the Westinghouse values will be used, with a lognormal distribution and an assumed error factor of 3, as was applied for each of the LOCA and transient events in.[4]. A discussion of Table 3.5-4 follows.
l l
The break size definitions for the IDCA categories are indicated in Tables P3-1, j
P3-2, and P3-3 in proprietary Appendix P3. The size delineations are similar for l
the NUREG/CR 4550 analyses and the Westinghouse analysis, except that the small-anall lhCA event defined in the NUREG/CR-4550 analyses has been subsumed into the etall LOCA category for the Westinghouse initiators.
In combining the two, Wastinghouse indicates that they considered AP600-specific design features which would impact small or small-small IDCA frequency, such as lack of reactor coolant pump (RCP) seals, since the RCPs are canned, and no power operated relief valves in the RCS. These would both act to reduce the small LOCA frequency. They also considered the possibility of tube ruptures in the passive residual heat removal
)
haat exchanger, which would increase the frequency somewhat.
The value they report is the same as the mean value for small LOCAs reported in WASH-1400 l
(Appendix III, p. 83/84). For the purposes of this study it will be assumed that i
the Vestinghouse analysis has correctly accounted for AP600-specific design considerations when eliminating the small-small LOCA category and assigning the j
s=all LOCA frequency of 3E-3/yr.
For the medium and large LOCAs, Westinghouse cites WASH-1400. Indeed, these mean values correspond to the median values in WASH-1400 Appendix III with an error factor of 10.
Although the size definition for medium versus large lhCAs has been changed somewhat to account for AP600-specific success criteria, these frequencies seem reasonable, and are not far from those used in the NUREG-1150 PUR analyses.
The Steam Generator Tube Rupture (SGTR) event has an assigned frequency less than thzt used in the 1150 PWR analyses. Westinghouse justifies this by stating that credit is taken for design features of the model F steam generator incorporated in the AP600 design. Their value is, according to the PDR, based on Westinghouse steam generator operating experience.
Again, based on these arguments, this frequency is thought to be plausible for use in this study.
The AP600 transient frequencies are based on the same sources as the NUREG/CR-4550 transient frequencies.
Although not identical, the two values are quite close.
In general, one might expect that this new design would have very different transient frequencies versus current plants, but much effort would be required to pin down a more accurate value. The Loss of Offsite Power frequency is very site-specific.
The value chosen in the PDR is based on industry-wide data, and is therefore appropriate for this analysis.
3-73
TABLE 3.5-4.
Comparison of Westinghouse AP600 and NUREG-4550 Initiator Frequencies INITIATOR WESTINGHOUSE NUREC/CR-4550 WESTINCHOUSE NUREG/CR-4550 PDR Rev. O FREQUENCY SOURCE SOURCE (PWR)
FREQUENCY (PWR)
SMALL-SMALL N/A 2E-2/yr N/A: No Pump Past PRAs, LOCA Seals Other Misc SMALL LOCA 3.0E-3/yr IE-3/yr AP600-Specific Past PRAs MEDIUM LOCA 8.0E-4/yr 1E-3/yr WASH-1400 Past PRAs LARGE LOCA 3.0E-4/yr 5E-4/yr WASH-1400 Past PRAs STEAM 3.6E-3/yr 1E-2/yr Past (West.)
Past PWR GENERATOR PWR Operating Operating TUBE RUPTURE Experience, Experience Modified TRANSIENTS 6.5/yr 7.1/yr NUREC/CR-3862 NUREC/CR-3862 WITH MAIN EPRI NP-2230 FEEDWATER EPRI NP-801 TRANSIENTS 5.7E-1/yr 1.2/yr NUREG/CR-3862 NUREG/CR-3862 WITHOUT MAIN EPRI NP-2230 FEEDWATER EPRI NP-801 LOSS OF 9.7E 2/yr 7.7E-2/yr NUREC/CR-3992 NUREG-5032 0FFSITE (Surry)
(Surry-POWER Specific)
INTERFACING 1.6E-9/yr 1.6E-6/yr AP600 Systems NUREG/CR-4550 SYSTEMS LOCA (Surry)
Analysis Vol. 2 (Expert Judgment)
REACTOR 1E-7/yr Not Included WASH-1400 Surry PTS VESSEL For Surry Calculations FAILURE The frequency for interfacing system IDCAs is three orders of magnitude less than that used in the Surry analysis. The PDR states that this value was calculated based on an AP600 systems analysis. As a result of the very low frequency found, Westinghouse did not further analyze this event. One of the design changes since the January 1989 PDR possibly affecting this frequency is the addition of the Normal Residual Heat Removal (NRHR) system in place of the former Spent Fuel Cooling (SFC) system. It appears that the interface between the RCS and the NRHR is similar to that with the former SFC system.
Therefore, assuming that the Westinghouse systems analysis was accurate, this frequency can be assumed to apply to the newer AP600 design.
At 1.6E-9/yr, it is too low for further l
analysis, and can be neglected. Again, a more detailed examination (outside the l
3-74 l
[
f ccope of this analysis) would be needed to evaluate the 1.6E-9 value, which seems unrealistically low based on cursory review.
i f
Finally, Westinghouse assigned the vessel failure event a value of IE-7/yr based en WASH-1400. In the AP600 PRA, vessel failure was assumed to lead directly to
[
. care damage.
Surry Pressurized Thermal Shock (PTS) calculations and other censiderations yielded an estimate in the 1E-8/yr range, and the event was not further analyzed.
The frequency cited for the AP600 is probably rather i
censervative, since the newer vessel materials and internals design will probably '
I rsduce the likelihood of failure due to PTS.
l 3.5.4 Human Reliability Analysis The Human Reliability Analysis- (HRA) performed for this study utilized the rathodology described in NUREG/CR-4550, Vol.1, [4] to the extent possible with the limited information available for this conceptual plant design.
As is typical, the analysis was divided into pre-and post-accident (initiator) events.
The pre-initiator events of interest are events involving failure to restore a component (or set of components) after test or maintenance. The post-initiator svents included events involving operator alignment and/or actuation of various non-automatic systems.
For two of the post-initiator human actions, the values reported in the January 1989 AP600 PDR, ch.12, were applied due to lack of information about either the system involved or the event itself.
These will be discussed in the post-initiator event section. Most of the human error probabilities (HEPs) have been reported in the main database summary, Table P4-1 in Appendix P4, and to a lesser extent (due to proprietary considerations) in Table 3.5-1.
All human error probabilities are summarized in Table P4-3 in the proprietary appendices.
Appendix P4 also contains Table P4-4, a post-diagnosis HRA summary.
It should be noted that the approach reported in NUREG/CR-4550 vol. 1 [4] is a simplified but somewhat conservative HRA method.
The PDR and reference (40]
report that NUREG/CR 1278 was utilized in the AP600 [ post-accident) HRA analysis.
The approach in [4] is based on NUREG/CR-4772 (the ASEP HRA procedures guide),
which in turn is a simplified version of NUREG/CR-1278.
The approach applied hare tended to be conservative for the post-initiator HEP calculations, so that
. rome of these HEPs may appear high.
3.5.4.1 Pre-Initiator Human Reliability Analysis The pre-initiator class of human actions includes two sets of events: failure to restore a manual valve to the open position following test or maintenance, and failure to restore a motor-operated valve (MOV) to the closed position following test or maintenance.
Examples of the manual valve events involved are the j
various PRHR manual valves, PRH-XVM RE-V102/3/4/5/6/7/9, where the slashes indicate separate events.
The MOV event is NRH MOV-RE-V010.
Even though the actual test and maintenance procedures to be used for the AP600 are not available, certain assumptions can be made to avoid overly conservative HRA results which would dominate the overall sequence quantification. As described for the pre-accident analysis in [4), certain " basic" or " optimum" conditions (sse Table 7.2-4 of [4)) can be met by the test or maintenance practices.
3-75
... ~ - -
The manual valve restoration failure events each involve a valve that is part of
.a safety system, either CMT or PRHR.
In this case, it is assumed that no compelling signal feedback is available; i.e., the position of the valve is not
]
annunciated (Basic condition 1, Table 7.2-4 [4]). No written daily or shiftly checks of component status are assumed, since they would not likely be possible during operation due to the location of these valves (Basic Condition 4, Table 7.2-4 [4]).
However, because these valves are part of important front-line safety systems, two " optimum" conditions are assumed to be met:
(1) a post-maintenance or calibration test, if performed correctly, will allow recovery of the error (Optimum condition 2); and (2) a second person will be required to directly verify component status after completion of the maintenance / test activity, or a separate written check by the original individual is made (optimum Condition 3).
In the case of these manual valves, it would be some means of ensuring that the valve disk is in the full-open position. For these conditions,
(
Case VIII of Table 7,2.-5 [4] applies. A pre-accident total failure probability j
is found by multiplying the basic HEP, 0.03, by the appropriate recovery factors according to Table 7.2-6 to yield 3E-4, with an error factor of about ten.
For the MOV restoration failure event, a non-safety-grade system is involved.
Basic Conditions 1 and 4, as described above for the manual valves, are assumed i
to apply to this valve as well.
Optimum Condition 3,
whereby a second independent check of component status occurs, is also assumed applicable for this l
valve. However, Optimum Condition 2 is not applied, because it is thought that l
the controls for test and maintenance on a non-safety system will be less
(
stringent. This is Case III of Table 7.2-5 [4]. A total failure probability of l
3E-3 with an error factor of about ten thus applies.
i 3.5.4.2 Post-Initiator Human Reliability Analysis As discussed above, NUREC/CR-1278 was cited as the methodology used for the Westinghouse AP600 HRA analysis. NUREG/CR-1278 is a more in-depth approach that should yield somewhat less conservative numbers versus the approach in [4], but requires more detailed information. This translates to more assumptions in the AP600's case.
I For this study, the NUREG/CR-4550 methodology will be used for the post-initiator human actions for which adequate information is available, i.e.,
for the human I
actions that will not require an excessive number of assumptions due to lack of information. This will yield somewhat higher numbers than those reported in the PDR.
In this study, most post-initiator human actions are modeled as separate events from the component failures in the fault trees.
Two exceptions are discussed in the next paragraph.
Two human error probabilities were not calculated using the NUREG/CR-4550 method, The first falls into the category of " lacking adequate information to avoid excessive assumptions," for which it is considered preferable to use the Westinghouse HRA value. This is the event involving alignment of the alternate firewater injection source for the external containment cooling system.
No information is available on the firewater system itself, so that a component failure estimate would be difficult. Although it would be possible to assume it is similar to that of a current plant, the PDR HRA value is thought to be based on more representative design information. This value is reported in Table P4-3 of Appendix P4, and it includes component failures. A rather large error factor i
3-76
of 10 will be assumed for this event, because of the lack of information for this event.
The second event for which the Westinghouse HRA value was considered preferable is the Steam Generator Identification and Isolation event following a tube rupture initiator. In calculating an estimate for this event using the NUREC/CR-4550 approach and including component failures, it was determined that the Umstinghouse value is somewhat more conservative (higher).
The Westinghouse value will be used, because there may be additional considerations in the Wastinghouse analysis that are not apparent from the PDR.
An error factor of five will be assigned, based on the NUREG/CR-4550 approach.
Three events were analyzed in the post initiator HRA:
(1) alignment and actuation of NRHR for recirculation, (2) alignment and actuation of NRHR for injection / recirculation, and (3) actuation of feed and bleed cooling following a non-ATWS event.
Since detailed thermal-hydraulic calculations will not be parformed as part of this study until after initial sequence quantification, the information provided in the PDR on available diagnosis time was utilized in the post-initiator HRA.
It is assumed that these times are based on Westinghouse thermal-hydraulic calculations, and estimates of task performance time. By using this diagnosis time, most of the post-initiator analysis through Step 7.15 [4]
is complete.
(Note: the Steps identified in this discussion refer to those in chapter 7 of [4).)
This analysis therefore starts with determining the diagnosis HEP for single abnormal events, Step 7.16.
A sincle abnormal event has been assumed, based on its definition in Step 7.12, by asserting that all actions will either be part of the same emergency procedure, or separated by 15 to 20 minutes or more after the first event. Using the PDR diagnosis times and Figure 7.3-2 of [4), diagnosis failure probabilities were calculated.
The adj us tments described in Step 7.16 for the final diagnosis HEP were not applied due to lack of information.
Table P4-4 in Appendix P4 summarizes the diagnosis HEPs.
In determining the post-diagnosis HEP, Steps 7.18 through 7.20 in chapter 7 of
[4] are completed.
In order to characterize the type of human action (Step 7.18), it is assumed that one safety-system has failed prior to the human action, and that operators will be trained in and will use symptom-based Emergency Operating Procedures (EOPs).
It is further assumed that the operator performs greater than one activity for the two NRHR actions, but not for the feed and bleed event.
For feed and bleed, more than one activity is performed, but the assumption is that there would be " good indications for when a shift must be made from one activity to another," allowing the event to be classified under not more than one activity. As a result, feed and bleed is considered a " step-by-step" activity, and the NRER actions are considered " dynamic."
The next step in the post-initiator HRA is Step 7.19, determining the operator stress level. The operator stress level was assumed to be moderately high for the HRA.
According to Step 7.19, a moderately high stress level should be assessed, except for the case of the recirculation phase in a large LOCA. Also, the total time available to diagnose and perform the activities must be greater than two hours to allow classification as moderate stress. This total time was unknown. Because of the general conservative nature of the HRA approach in [4),
it is felt that assigning a moderate rather than high stress level for all the events is reasonable.
3-77
In calculating the post-diagnosis human error probability, Step 7.20 is employed.
Table 7.3-14 is utilized, with moderate stress and either step-by-step (feed and biced) or dynamic (NRHR actions) characteristics.
Each action is broken down into separate activities, which are indicated in Table P4-5 of Appendix P4.
Based on our understanding, it is assumed that two operators are present in the control room.
Therefore, we assume a single additional independent check for every activity except manual valve alignment (which would seem likely to be performed by a single individual).
Assigning the appropriate HEP and error factor for each separate activity and applying a single independent check gives the overall HEP for a given activity.
The total post-diagnosis HEP for the action is determined by summing the HEPs for the activities comprising that action.
To obtain the overall HEP, this post-diagnosis value is added to the diagnosis HEP calculated previously. These values are summarized in Tables P4-3 and P4-4.
3.5.5 Special Data Issues Certain issues related to the data analysis of this ALWR design were identified as requiring special attention. These arise largely due to new uses of current-technology components. The items of particular interest for this study are the use of check valves in low pressure, gravity-induced flow systems, and the unavailability of components normally classified as safety-grade in current plants, which are now categorized as non-safety.
These two issues are now discussed in the following subsections.
Section 3.7 c tamines a few additional calculational issues which were examined af ter completion of the quantification described in Section 3.6.
3.5.5.1 Check Valve Operation at Low Pressures One issue related to passive system operation is the incorporation of check valves in low pressure passive safety injections systems. For the AP600 design, this concern applies to the gravity-driven IRWST injection system, and possibly also to the sump injection lines, which share part of their injection path with the IRWST injection system. The operation of these systems, depicted in Figures
- 3. 3 -7 and 3. 3-11, depends upon the functioning of check valves in parallel injection lines. Most of these valves are normally closed against RCS pressure, and open only when the RCS is fully depressurized. The gravity head, which will vary as the tank drains, must exceed the RCS pressure by at least the differential pressure required for the check valve to open. Of note is that all of these check valves are, at this point, off-the-shelf, swing check valve technology. Westinghouse reportedly investigated augmented check valve designs but concluded (at least as of July 1991) that the current designs are preferable for this application.
Several factors can be postulated which might impact the reliability of these check valves.
These considerations are discussed in the following paragraphs, primarily with respect to IRWST operation since this system is included in the base case calculations of this study, whereas sump injection is not.
First, one can postulate that " clanging" or " chattering" will occur once the valves open initially, because of the low pressure differential across the valves.
Also postulated as a result of the nearly balanced pressures is a 3-78
clower, cyclic transfer of the valves from open to closed, because of slight pressure variations. The clanging process can potentially degrade the hydraulic parformance of the valve, possibly inhibiting gravity injection of the tank contents.
The elements of the total failure probability for these valves are standby feilure rate and standby time; demand-related probability of valve failure to open; and a failure to remain open once opened.
If the valve experienced clanging, accelerated aging of the valve would occur, possibly increasing the demand-related failure probability over time.
Certainly over the relatively ahort mission time this should not be a significant concern.
Based on our understanding, the IRWST injection lines will be used every refueling outage after RCS cooldown. Even if clanging occurs during this operation, the overall time for this aging process to act on the valves is small, and considered nagligible.
Of course, other aging processes will act on the valve during operation (e.g. vibration), raising the question of adequate diagnostics to datect aging over the life of the valves. References [41) and [42] discuss aging and service wear of check valves, and diagnostics.
The potentially cyclic opening of the valves represents a multiple-demand situation. One could postulate that in this situation, the standby contribution to valve failure should contribute the same as for a single demand, but the eultiple demands would require summing the (true) demand failure probability for j
ecch expected opening of the valve.
One problem is estimating the expected number of cycles experienced by the valve. Another is finding a database which has separated the demand-from the time-related failure mechanisms for check valves. Generally, the total per demand failure probability listed in generic databases represents a conversion from a failure rate using an assumed time inte rval.
A more extensive data analysis is likely required in order to characterize these distinct elements.
i Indications from Westinghouse are that they plan a thorough set of tests for prototypic check valves in an environment similar to that expected for the IRWST velves. Based on discussions with Westinghouse design personnel, the first round of tests on the valves, which investigated the clanging phenomenon, showed
" positive hydraulic performance" of the valves.
With regard to the aging concern, Westinghouse plans to design testability into the valves, in terms of accessibility, test lines and instrumentation.
Lack of adequate information regarding the nature of these tests makes it difficult to determine whether these would identify aging processes.
Two other issues potentially of concern are corrosion and self-welding while in i
the standby mode.
Because the pressure differential across the valve (in the flow direction) will never be any higher than the gravity head of the fluid in the tank, any uncertainty in the delta-P required to open the valve is potentially significant. Therefore, analogy to current plant accumulators is not I
valid. Accumulator operation similarly involves opening of check valves when the RCS pressure drops sufficiently so that the required pressure differential for i
opening of the valve (s) is achieved. Ilowever, any uncertainty in this required pressure is insignificant, because the RCS pressure will generally continue to decrease well below the gas pressure (typically 650 to 700 psig) and gravity head in the tank.
Thus, margin exists to ensure that, even if the valve sticks 3-79
initially, a great enough pressure differential to open the valve will eventually be realized.
Corrosion is one mechanism by which sticking of the valve is postulated to occur.
This issue and the self-welding issue were discussed with experts in check valve failure modes and diagnostics at Oak Ridge National Laboratory (one of them a coauthor of Reference [41]).
The next few paragraphs are based on our understanding of this discussion.
The corrosive processes affecting the valve could act along the hinge pin or the seat contact area of the check valve.
However, such corrosion results in development of a film, rather than a " glue," on these surfaces. Upon demand of the valve, normal and shear forces generated by even a low pressure differential across the valve would make it very unlikely that the film would bind the valve shut.
A second, related mechanism is self-welding. This process was identified by EPRI as a possible concern for low pressure valves held shut over long periods of time against a large differential pressure.
In the case of the IRWSTs, this is RCS pressure, 2250 psi. According to an ORNL valve expert, self-welding is a process which is possible only when the two pieces of metal are pushed together with such a force that the intermolecular forces come into play. A measure of the force necessary for this to occur is the yield strength of the metal.
A rough calculation was performed to determine the pressure acting along the stellite-to-stellite seating surface for the valves.
Assuming a six-inch diameter seating surface, with a seating width about 1/9th the radius, or 1/3",
a pressure of 10720 psi was calculated.
If the seating surface is only 1/27th the radius, the result is 30948 psi. Using Marks' Standard Handbook, Table 1,
- p. 5-3 [43), a range of yield strengths of 30,000 to 90,000 psi is reported for steel castings, which probably provides a good lower bound for stellite. Thus, it seems unlikely first, that the designers would specify a valve which would see forces near the yield strength of its internals, and second, that the yield strength would be exceeded with a primary pressure of 2250.
Based on the above arguments, for the purposes of this analysir it was felt that the generic check valve failure rate did not require adjustment to represent the unique environment of these check valves. Importance calculations discussed in Section 3.6 and presented in Appendix PS show the individual IRWST check valve failure-to-open events near the bottom in importance and risk increase ratio.
The only IRT check valve event which shows up at a medium level of importance is the CCF of the check valves in the injection lines.
However, because of the number of valves involved (see Figure P1-7 for the number of check valves in the injection lines of the more current IRWST design--this number is proprietary),
it would be unlikely for the above processes to provide the " lethal shock" (see Section 3.5.2) which would disable all the valves.
In calculating the CCF for a large number of components, the lethal shock contribution generally dominates.
This seems to justify the use of generic CCF probabilities for these valves.
To further investigate the importance of these check valve failures, a recalculation of the base-case, ECC/DHR functional core damage frequency (see Section 3.6.1) was performed using higher failure probabilities for the IRWST
)
check valves. The reader is referred to Section 3.7.1 for a discussion of this 3-80 I
rccalculation.
It showed that it. creasing the check valve failure probability did not increase the overall CDF by signAficant amounts, thereby lending validation to the use of generic check valve values in this particular analysis.
3.5.5.2 Unavailability of Non-Safety-Grade Components Normally Classified as Safety-Grade A second issue related to the data analysis task is the incorporation of typically safety-grade components, such as emergency diesel generators, as non-ocfety grade in the AP600. The question of the applicability of data for these normally safety-grade components arises. For the AP600, safety-grade diesels are n2t necessary, because no safety systems require AC power.
The AP600 startup fsedwater system, similar to the auxiliary feedwater system in current plants, j
is also non-safety.
l l
This issue essentially reduces to two considerations:
(1) whether the l
cicssification of the system as safety versus non-safety affects the demand-l related failure probability of the system, and (2) whether a higher test or t
ceintenance unavailability applies to the these systems.
To gain a better understanding, the first point was discussed with an expert in the area of equipment qualification at Sandia National Laboratories. This expert felt that clessification as safety grade has little or nothing to do with equipment reliability in normal environments. Rather, the qualification as safety grade refers to a demonstration of the system's performance in adverse environments.
(Note:
this issue could therefore be important when considering external initiating events, such as seismic events, which are outside the scope of this study.)
A study performed at Los Alamos National Laboratory to analyze In-Plant Reliability Data System (IPRDS) data using the Failure Rate Analysis Code, FRAC, supports the statement that equipment qualification likely does not influence dsrand-related unavailability.
The study examined the combined effects of vcrious factors on component failure rates.
The results showed no apparent difference in the various component failure rates for safety versus non-safety components.
Further, reference [44), Table 8, shows an approximately equal dstand failure probability for safety and non-safety A0Vs and MOVs.
When all valve types are taken together, the non-safety components actually have a lower fcilure probability, by about a factor of two.
i The effort to find data for non-safety diesel generators was unsuccessful. For l
tha measures of diesel generator performance (failure to start, failure to run, I
common-cause failure, and test / maintenance unavailability) used in this study, the EPRI ALUR requirements document for advanced reactors was consulted. These values (see Table P4-1 in Volume 2, the proprietary appendices) are thought to be the best available, because Westinghcuse has made a commitment to show that l
tha reliability values in the EPRI document are met at the minimum.
l l
Tha second consideration for safety versus non-safety grade components is cointenance unavailability.
With regard to pumps, reference [45] presents a olightly higher maintenance unavailability for non-safety versus safety pumps.
This higher value was used in this analysis. Similar information for valves was not found. Reference [44] indicates a higher maintenance frequency for safety-related valves, but does not have such information for the important measure of l
l 3-81 l
t
i maintenance / test duration. Without additional data in this area, and given the
{
relatively small increase in maintenance unavailability indicated in. reference
[45] for non-safety pumps, no other non-safety components were adjusted for a higher maintenance unavailability.
However, it is felt that maintenance unavailabilities for these non-safety components were handled in a somewhat conservative manner. Instead of assigning a train unavailability due to test and maintenance, individual components within the train were assigned independent test and maintenance unavailabilities. This does not allow for intersection of maintenance events, where several components within a train are maintained concurrently, and which would result in a lower maintenance unavailability for t
each component.
l i
P
+
t h
I i
1 3-82 4
i i
.._,____ _ _ __ _.,,,___ _.,.___.._. ~ _. _ _ _ _., __.---
I TABLE 3.5-1.
SWMART DATA TABLE, Bon-Proprietary Vtreica EVENT NAME RATE TIME MEAN DIST. TYPE EF EVENT DESCRIPTION NOTES SOURCE ACC-CKV-FT-7028A 1.00E-4/D 1.00E-4 LOG NOR 3-Check Valve Failure to Open ASEP Generic Data (1)
ACC-CKV-FT-7028B 1.00E-4/D 1.00E-4 LOG NOR 3
Check valve Failure to Open ASEP Generic Data (1]
ACC-CKV-FT-V029A 1.00E-4/D 1.00E-4 LOG NOR 3
Check Valve Failure to Open ASEP Generic Data (1)
ACC-CKV-FT-V029B 1.00E-4/D 1.00E-4 LOG NCR 3
Check Valve Failure to Open ASEP Generic Data (1)
ACC-tCV-0C-V027A 1.00E-7/Br 24Hr 2.40E-6 LOG NOR 3
POV Failure to Remain Open ASEP Generic Data (1)
ACC-t0V-0C-V027B 1.00E-7/Br 24Hr 2.40E-6 LOG NOR 3
POV Failure to Remain Open ASEP Generic Data (1)
ACC-t0V-PG-V027A 1.00E-7/Hr 18Mo 6.58E-4 LOG NCR 3
tDV Failure Due to Plugging (1)
ASEP Generic Date [1]
ACC-TOV-EG-V027B 1.00E-7/Br 18Mo 6.58E-4 LOG NOR 3
MOV Failure Due to Plugging (1)
ASEP Generic Date [1]
ACC-TNK-RP-T001A 2.70E-9/Br 24Hr 6.48E-7 LOG NOR 10 Tank Ruptures (2)
EOG-SSRE-8875 (3)
ACC-TNK-RP-T001B 2.70E-8/Br 24Hr 6.48E-7 LOG MOR 10 Tank Ruptures (2)
EOG-SSRE-8875 [3]
ACP-BUS-BW-LD14 9.00E-5/D 9.00E-5 LOG NOR 5
Bardware Failure of 480 VAC Bue Surry PRA [4]
wy ACP-BUS-BW-LD24 9.00E-5/D 9.00E-3 LOG NOR 5
Hardware Failure of 480 VAC Bus Surry PRA (4) w ACP-BUS-BW-M1 9.00E-5/D 9.00E-5 LOG NOR 5
Bardware Failure of 4160 VAC Bus Surry PRA (4]
ACP-BUS-BW-M2 9.00E-5/D 9.00E-5 LOG NOR 5
Hardware Failure of 4160 VAC Bus Surry PRA [4]
ACP-BUS-fM-M3 9.00E-5/D 9.00E-5 LOG NCR 5
Bardware Failure of 4160 VAC Bus Surry PRA [4]
ACP-BUS-!M-M4 9.00E-5/D 9.00E-5 LOG NOR 5
Bardware Failure of 4160 VAC Bus Surry PRA [4]
ACP-CRB-BW-ACB1A 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Failure Surry PRA (4]
ACP-CRB-fM-ACB1B 2.90E-5/D 2.90E-5 1DG NOR 3
Circuit Breaker Failure Surry PRA tel ACP-CRB-HW-ACB2A 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Failure Surry PRA [4]
ACP-CRB-BW-ACB2B 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Failure Surry PRA [4]
I ACP-CRB-fM-ACB3A 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Failure Surry PRA [4]
ACP-CRB-BW-ACB3B 2.90E-5/D 2.90E-S IDG NOR 3
Circuit Breaker Failure Surry PRA [4]
ACP-CRB-BW-ACB3C 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Failure Surry PRA (4)
ACP-CRB-BW-ACB3D 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Failure Surry PRA I4) a
Table 3.5-1.
Se== mary Date Table, Em-Proprietary Version Cat'd EVENT NAME RATE TIME MEAN DIST. TTPE EF EVENT DESCRIPTION NOTES SOURCE ACP-CRB-HW-ACB4A 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Failure Surry PRA [4]
ACP-CRB-EW-ACB4B 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Failure Surry PRA [4]
ACP-CRB-EW-ACB4C 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Failure Surry FRA [4]
ACP-CRB-BW-ACB4D 2.90E-5/D 2.90E-3 LOG MOR 3
Circuit Breaker Failure Surry PRA [4]
ACP-CRB-BW-ACB5A 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Failure Surry PRA (4]
ACP-CRB-BW-ACB5B 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Failure Surry PRA (4]
ACP-CRB-BW-ACB5C 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Failure Surry PRA (4)
ACP-CRB-HW-ACBSD 2.90E-5/D 2.90E-5 IOG NOR 3
Circuit Breaker Failure Surry PRA (4)
ACP-LOSP 2.00E-4/D 2.00E-4 LOG NOR 3
Random Losa of Off-Site Fower Surry PRA (4)
ACP-FCC-BW-tCC1A 9.00E-5/D 9.00E-5 LOG NOR 5
Buswork Bardware Failure Surry PRA (4]
y ACP-MCC-BW-tCC1B 9.00E-5/D 9.00E-5 LOG NOR 5
Buswork Hardware Failure Surry PRA (4]
co D
ACP-TFM-BW-X1 4.80E-5/D 4.80E-3 LOG MOR 10 Bardware Failure of Step Up Transformer ASEP Generic Data (1]
ACP-TIM-BW-X2-1 4.80E-5/D 4.80E-5 LOG NOR 10 Bardware Failure of Transformer ASEP Generic Date [1]
ACP-T m-HW-X25W 9.00E-5/D 9.00E-5 LOG NOR 5
AC Hardware Failure ASEP Generic Data (1]
ACP-TIM-HW-X3-1 4.80E-5/D 4.80E-5 LOG NOR 10 Hardware Failure of Aux Transformer ASEP Generic Date [1]
ACP-TIM-HW-X3HW 4.80E-5/D 4.80E-5 LOG NOR 10 AC Hardware Failure ASEP Generic Data (1)
ACP-TEN-HW-X4A 4.80E-5/D 4.80E-5 LOG NOR 10 Hardware Failure of 4160/480 VAC Trans.
ASEP Generic Data (1)
ACP-TFM-BW-X4B 4.80E-5/D 4.80E-5 LOG NOR 10 Bardware Failure of 4160/480 VAC Trana.
ASEP Generic Data (1]
CMT-A0V-FA-MMf 1.00E-3/D 1.00E-5 LOG NOR 3
Valve Control Circuit Ccanand Faults ASEP C-eneric Data (1]
CNT-A0V-FT-MfM 1.00E-3/D 1.00E-3 LOG NOR 3
ADV Failure to Open ASEP Generic Data (1]
Ctfr-AOV-OC-MfM 1.00E-7 24Hr 2.40E-6 IJ0G NOR 3
ADV Fails to Retnain Open ASEP Generic Data (1]
Ctfr-CKY-FT-7016A 1.00E-4/D 1.00E-4 LOG NOR 3
Check valve Failure to Open ASEP Generic Data (1]
CNT-CKV-FT-V016B 1.00E-4/D 1.00E-4 LOG MOR 3
Check Valw Failure to Open ASEP Generic Data (1]
CNT-CKV-FT-V017A 1.00E-4/D 1.00E-4 LOG NOR 3
Check valve FC ture to Open ASEP Generic Data (1)
Tabla 3.5-1.
Wry Data Table, Num-Proprietary Vereien, Cent.'d EVENT NAPE RATE TIME MEAN DIST. TYPE EF EVENT DESCRIPTION NOTES SOURCE Off-CKY-TT-V017B 1.00E-4/D 1.00E-4 LOG NOR 3
Check Valve Teilure to Open ASEP Generic Data (11 CMI-FLR-PG-A 3.00E-4/D 3.00E-4 LOG NOR 3
Plugging of Flow Restrictor (4)
ASEP Generic Date [1]
Off-FLR-PG-B 3.00E-4/D 3.00E-4 LOG NOR 3
Plugging of Flow Restrictor (4)
ASEP Generic Date (11 Off-TNK-PG-7002A 3.00E-4/D 3.00E-4 LOG NOR S
Tank Failure Due to Plugging (8)
Surry PRA (4]
Off-TNK-PG-T0028 3.00E-4/D 3.00E-4 LOG NOR S
Tank Failure Due to Plugging (8)
Surry PRA (4]
Off-TNK-RP-T002A 2.70E-8/Br 24Hr 6.48E-7 LOG NOR 10 Tank Ruptures (2)
EGG-SSRE-8875 (3)
Off-TNK-RP-T002B 2.70E-8/Br 24Hr 6.48E-7 LOG NOR 10 Tank Ruptures (2)
EOG-SSRE-8875 [3]
CMT-IVM-PG-V001A 1.00E-7/Br 18Mo 6.58E-4 LOG NOR 3
Manuel V1v. Fall. Due to Plugging (1)
ASEP Generic Date [1]
oft-XVM-PG-V001D 1.00E-7/Br 18Mo 6.58E-4 LOG NOR 3
Manuel Viv. Fall. Due to Plugging (1)
ASEP Generic Date [1]
CMT-XVM-PG-7013A 1.00E-7/Er 18Mo 6.58E-4 LOG NOR 3
Manuel Viv. Fall. Due to Plugging (1)
ASEP Generic Date [1]
Off-XVM-PG-V013B 1.00E-7/Br 18Mo 6.58E-4 LOG NOR 3
Manuel Viv. Teil. Due to Plugging (1)
ASEP Generic Date [1]
b DCP-BAT-BW-B1-1 1.00E-6/Br 2Mo 7.20E-4 LOG NOR 3
Bettery Fails to supply Power Surry PPA [4]
w DCP-BAT-BW-B1-2 1.00E-6/Hr 2Mo 7.20E-4 LOG NOR 3
Bettery Fails to supply Power Surry PRA [4]
DCP-BAT-BW-E2-1 1.00E-6/Br 2Mo 7.20E-4 LOG NCR 3
Bettery Fails to Supply Power Surry PRA (4]
DCP-BAT-HW-B2-2 1.00E-6/Er 2fts 7.20E-4 LOG NOR 3
Bettery Falle to Supply Power Surry PRA (4)
DCP-BAT-HW-B3-1 1.00E-6/Br 2Mo 7.20E-4 LOG NOR 3
Bettery Fails to Supply Power Surry PRA (4)
DCP-BAT-BW-B3-2 1.00E-6/Br 2Mo 7.20E-4 LOG NCR 3
Bettery Falle to Supply Power Surry PRA [4]
DCP-BAT-BW-84-1 1.00E-6/Br 2Mo 7.20E-4 LOG NOR 3
Bettery Falle to Supply Power Surry PRA [4]
DCP-BAT-HW-B4-2 1.00E-6/Hr 2Ho 7.20E-4 LOG NOR 3
Bettery Falle to supply Power Surry PRA [4}
DCP-BUS-BW-1A 9.00E-5/D 9.00E-5 LOG NOR 5
Hardware Failure of 125 VDC Bue surry PRA [4]
DCP-BUS-BW-1B 9.00E-5/D 9.00E-5 LOG NOR 5
Hardware Fe11ere of 125 VDC Bus Surry PRA (4)
DCP-BUS-BW-1C 9.00E-5/D 9.00E-5 LOG NOR 5
Hardware Failure of 125 VDC Bus Surry PRA (41 DCP-BUS-BW-1D 9.00E-5/D 9.00E-5 LOG NOR 5
Hardware Failure of 125 VDC Bue surry PRA (4]
DCP-BUS-BW-2A 9.00E-5/D 9.00E-5 LOG NOR 5
Hardware Failure of 125 VDC Bus Surry PRA (4)
Table 3.5-1.
Summunry Data Table, Non-Proprietary Version, Cont'd EVENT NAME RATE TIME MEAN DIST. TTPE EF EVENT DESCRIPTION NOTES SOURCE DCP-BUS-BW-25 9.00E-5/D 9.00E-5 LOG NOR 5
Bardware Teilure of 125 VDC Bus surry FRA [4]
DCP-BUS-BW-2C 9.00E-5/D 9.00E-5 LOG NOR 5
Bardware Teilure of 125 VDC Bus surry FRA [4]
DCP-BUS-BW-2D 9.00E-5/D 9.00E-5 LOG NOR 5
Bardware Failure of 125 VDC Bus surry FRA [4]
DCP-BUS-BW-DCDP 1 9.00E-5/D 9.00E-5 LOG NOR 5
Bardware Failure of DC Dist. Penet Surry PRA [4]
DCP-BUS-BW-DCDP 2 9.00E-5/D 9.00E-5 LOG NOR 5
Bardware Failure of DC Dist. Fanel Surry PRA [4]
DCP-BUS-BW-DCDP 3 9.00E-5/D 9.00E-5 LOG NOR 5
Bardware Failure of DC Dist. Fenel Surry FRA [4]
DCP-BUS-BW-DCDP 4 9.00E-5/D 9.00E-5 LOG NOR 5
Bardware Failure of DC Dist. Fanel surry PRA [4]
DCP-BUS-BW-DP141 9.00E-5/D 9.00E-5 LOG NOR 5
Buswork Hardware Failure Surry FRA [4]
DCP-BUS-BW-DP142 9.00E-5/D 9.00E-5 LOG MOR 5
Buswork Hardware Failure surry 11tA [4]
DCP-BUS-BW-DP241 9.00E-5/D 9.00E-5 LOG NOR 5
Buswork Hardware Fellure Surry FRA [4]
DCP-BUS-BW-DP242 9.00E-5/D 9.00E-5 LOG NOR 5
Baswork Hardware Failure Surry PRA [4]
w C"
DCP-CBR-BW-DCB1A 2.90E-5/D 2.90E-5 LOG MOR 3
Circuit Breaker Failure Surry FRA (4)
DCP-CBR-BW-DCB1B 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Failure Surry FRA (4]
DCP-CBR-BW-DCBIC 2.90E-5/D 2.9CE-5 LOG MOR 3
Circuit Breaker Failure surry FRA (4]
DCP-CBR-BW-DCB1D 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Failure Surry FRA [4]
DCP-CBR-BW-DCB2A 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Failure Surry FRA [4]
DCP-CBR-BW-DCB2B 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Failure surry FRA (4)
DCP-CBR-BW-DCB2C 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Failure Surry PRA [4]
DCP-CBR-BW-DCB2D 2.90E-5/D 2.90E-5 LOG MOR 3
Circuit Breaker Failure Surry FRA (4)
DCP-CBR-BW-DCB3A 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Failure Surry PRA (4]
DCP-CBR-BW-DCB3B 2.90E-5/D 2.90E-5 IJDG NOR 3
Circuit Breaker Failure Surry PRA [4]
DCP-CBR-BW-DCB3C 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Failure Surry PRA [4]
DCP-CBR-BW-DCB3D 2.90E-5/D 2.90E-5 1,0G NOR 3
Circuit Breaker Failure Surry PRA [4]
DCP-CBR-BW-DCB4A 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Fellure Surry PRA [4]
Table 3.5-1.
5-ry Data Table, Bae-Proprietary Verences, Cant'd EVENT NAME RATE TIME MEAN DIST. TTPE EF EVENT DESCRIPTION NOTES SOCRCE M
DCP-CBR-HW-DCB4B 2.90E-5/D 2.90E-5 LOG MOR 3
Circuit Breaker Failure Surry PRA [4]
DC?-CER-HW-DCB4C 2.90E-5/D 2.90E-5 1DG NOR 3
Circuit Breaker Failure Surry PRA [4]
DCP-CBR-BW-DCB4D 2.90E-5/D 2.90E-5 IDG NOR 3
Circuit Breaker Failure Surry PRA [4]
DCP-CBR-BW-DCB5A 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Failure Surry PRA [4]
i DCP-CBR-BW-DCB5B 2.90E-5/D 2.90E-5 IJ0G NOR 3
Circuit Breaker Failure Surry PRA [4]
DCP-CBR-BW-DCB5C 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Failure Surry PRA [4]
DCP-CBR-BW-DCB5D 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Failure Surry PRA [4]
DCP-CBR-BW-DCB6A 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Fellure Surry PRA [4]
DCP-CBR-BW-DCB6B 2.90E-5/D 2.90E-5 IDG NOR 3
Circuit Breaker Failure Surry PRA [4]
DCP-CBR-BW-DCB6C 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Failure Surry PRA [4]
y DCP-CBR-BW-DCB6D 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Failure Surry PRA [4]
co N
DCP-CBR-EW-DCB7A 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Failure Surry PRA [4]
DCP-CBR-BW-DCB7B 2.90E-5/D 2.90E-5 LOG MOR 3
Circuit Breaker Failure Surry PRA [4]
DCP-CBR-EW-DCB7C 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Failure Surry PRA [4]
DCP-CBR-BW-DCB7D 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Failure Surry PRA [4]
DCP-CHG-BW-C1-1 1.00E-6 2Mo 7.20E-4 LOG MOR 3
Hardware Failure of Charger ASEP Generic Data [1]
i DCP-CHG-HW-Cl-2 1.00E-6 2Mo 7.20E-4 LOG MOR 3
Hardware Failure of Charger ASEP Generic Data [1]
DCP-CHG-HW-C2-1 1.00E-6 2Mo 7.20E-4 IDG NOR 3
Bardware Failure of Charger ASEP Generic Data (1)
DCP-CHG-BW-C2-2 1.00E-6 2Mo 7.20E-4 IJ0G NOR 3
Bardware Failure of Charger ASEP Generic Data (1)
DCP-CHG-BW-C3-1 1.00E-6 2Mo 7.20E-4 LOG NOR 3
Hardware Failure of Charger ASEP Generic Date [1]
DCP-CHG-BW-C3-2 1.00E-6 2Mo 7.20E-4 LOG NOR 3
Hardware Failure of Charger ASEP Generic Date [1)
DCP-CHG-BW-C4-1 1.00E-6 2Mo 7.20E-4 LOG NOR 3
Bardware Failure of Charger ASEP Generic Data (1)
DCP-CHG-HW-C4-2 1.00E-6 2Mo 7.20E-4 LOG NOR 3
Hardware Failure of Charger ASEP Generic Dsta [1]
3 4
DCP-CRB-BW-DCBBA 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Failure Surry PRA [4]
a 4
I l
Table 3.5-1.
S - y Date Table, Non-Proprietary Vernian, Cant'd EVENT NAME RATE TIME MEAN DIST. TYPE EF EVENT DESCRIPTION NOTES SOURCE DCP-CRB-BW-DCB8B 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Failure Surry PRA (4]
DCP-CRB-BW-DCB8C 2.90E-5/D 2.90E-5 LOG MOR 3
Circuit Breaker Failure Surry PRA [4]
DCP-CRB-BW-DCB93 2.90E-5/D 2.90E-5 LOG MOR 3
Circuit Breaker Failure Surry PRA (4]
i DCP-CRB-BW-DCB9A 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Failure Surry PRA (4)
DCP-CRB-RW-DCB9B 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Failure Surry PRA (4)
DCP-CRB-RW-DCB9C 2.90E-5/D 2.90E-5 LOG NOR 3
Circuit Breaker Failura Surry PRA [4]
DCP-CR3-HW-DCB9D 2.90E-5/D 2.90E-5 LOG MOR 3
Circuit Breaker Failure Surry PRA (4)
DCP-PCC-W-MCCA 9.00E-5/D 9.00E-5 LOG NOR 5
Hardware Failure oE MCC Surry PRA (4]
DCP-MCC-HW-MCCB 9.00E-5/D 9.00E-5 IXX; NOR 5
Hardware Failure of PCC Surry PRA (4) i DCP-MCC-BW-tCCC 9.00E-5/D 9.00E-5 LOG NOR 5
Bardware Failure of ICC Surry PRA [4]
DCP-NCC-HW-MCCD 9.00E-5/D 9.00E-5 LOG NOR 5
Bardware Failure of MCC Surry PRA (4)
DET-ADV-FA-V004A 1.00E-3/D 1.00E-3 LOG NOR 3
Valve Control Circuit Ccuunand Faulta ASEP Generic Data (1)
DEP-A0V-FA-V004B 1.00E-3/D 1.00E-3 LOG MOR 3
Valve Control Circuit Command Faulta ASEP Generic Data (1)
DEP-A07-FA-V004C 1.00E-3/D 1.00E-3 LOG NOR 3
Valve Control Circuit Commaand Faulta ASEP Generic Data (1) r l
DEP-A07-FA-V004D 1.00E-3/D 1.00E-3 LOG NOR 3
Valve Control Circuit Comanand Faulta ASEP Generic Data [1]
i DEP-A0V-FT-V004A 1.00E-3/D 1.00E-3 LOG NOR 3
ADV Failure to Open ASEP Generic Data (1) 4 DEP-A0V-FT-V004B 1.00E-3/D 1.00E-3 LOG NOR 3
ADV Failure to Open ASEP Generic Data (1)
I DEP-A0V-FT-V004C 1.00E-3/D 1.00E-3 LOG NOR 3
ACV Failure to Open ASEP Generic Data (1)
DEP-A0V-FT-V004D 1.00E-3/D 1.00E-3 LOG MOR 3
ADV Failure to Open ASEP Generic Data til DEP-TOV-FA-V001A 2.50E-3/D 2.50E-3 LOG NOR 10 Valve Control Circuit Comanand Faulta ASEP Generie Data (11 DEP-t0V-FA-V001C 2.50E-3/D 2.50E-3 LOG NOR 10 Valve Control Circuit Command Faulta ASEP Generic Data (1)
DEP-t0V-FA-V002A 2.50E-3/D 2.50E-3 LOG MOR 10 Valve Control Circuit Command Faulta ASEP Generic Data Ill DEP-MOV-FA-V002C 2.50E-3/D 2.50E-3 LOG NOR 10 Valve Control Circuit C-d Faulta ASEP Genarie Data Ill DEP-MOV-FA-V003A 2.50E-3/D 2.50E-3 LOG NOR 10 Valve Control Circuit Command Faulta A5EP Generic Data (1) a m
v.-.
r
Table 3.5-1.
T
, Date Table. Bau-Proprietary Yereteen. Cont'd EVENT NAME RATE TIME IEAN DIST. TTFE EF EVENT DESCRIPTION NOTES SOURCE DEP407-FA-Y003C 2.50E-3/D 2.50E-3 LOG NOR 10 Valve Control Circuit Coeumand Faulta ASEP Generic Data [1]
DEP-MDV-FT-V001A 5.00E-4/D 5.00E-4 1DG NOR 10 10V Failure to Open ASEP Generic Data [1]
DEP-t0V-FT-V001C 5.00E-4/D 5.00E-4 LOG BOR 10 TOV Failure to Open ASEP Generic Data [1]
DEP-107-TT-VQO2A 5.00E-4/D 5.00E-4 LOG NOR 10 POV Failure to Open ASEP Generic Date [1)
DEP-m V-FT-7002C 5.00E-4/D 5.00E-4 LOG NOR 10 Mov Failure to Open ASEP Generic Date [1]
DEP-MOV-FT-V003A 5.00E-4/D 5.00E-4 LOG NOR 10 90V Failure to Open ASEP Generic Data [1]
DEP40V-FT-V003C 5.00E-4/D 5.00E-4 IDG NOR 10 MDV Failure to Open ASEP Generic Data [1]
DEP407-0C-V001B 1.00E-7/Br 245r 2.40E-6 LOG NOR 3
MOV Failure to Reeain Open ASEP Generic Date [1]
DEP-fCV-0C-Y001D 1.00E-7/Hr 24Hr 2.40E-6 LOG NOR 3
POV Failure to Remain Open ASEP Generic Data [1]
DEP40V-0C-V0025 1.00E-7/Br 24Hr 2.40E-6 IDG NOR 3
POV Failure to Remain Open ASEP Generic Date [1]
DEP40V-OC-V002D 1.00E-7/Hr 24Hr 2.40E-6 LOG NOR 3
POV Failure to Remain Open ASE1' Generic Date [1]
DEP-t0V-0C-V003B 1.00E-7/Br 24Hr 2.40E-6 LOG NOR 3
POV Failure to Remain Open ASEP Generic Data [1]
DEP-MOV-0C-V003D 1.00E-7/Er 245r 2.40E-6 LOG NOR 3
POV Failure to Remain Open ASEP Generic Data [1]
DEP40V-IG-V001B 1.00E-7/Er 3tb 1.10E-4 LOG NUR 3
POV Failure Due to Plugging (5,E)
ASEP Generic Data [1]
DEP40V-PG-V001D 1.00E-7/Br 3Mo 1.10E-4 LOG NOR 3
POV Failure Due to Plugging (5.6)
ASEP Generic Date [1]
DEP-t0V-PG-7002B 1.00E-7/Er 3Mo 1.10E-4 LOG NOR 3
POV Failure Due to Plugging (5.6)
ASEP Generic Data [1]
DEP40V-PG-7002D 1.00E-7/Er 3Mo 1.10E-4 LOG h0R 3
POV Failure Due to Plugging (5.6)
ASEP Generic Data [1]
DEP-MDV-PG-V003B 1.00E-7/Hr 3Mo 1.10E-4 IDG NOR 3
POV Failure Due to Plugging (5.6)
ASEP Generic Data [1]
DEP-M07-PG-V003D 1.00E-7/Br 3Mo 1.10E-4 LOG NOR 3
POV Failure Due to Plugging (5.6)
ASEP Generic Data (1)
ECC-A07-FA-V001A 1.00E-3/D 1.00E-3 LOG NOR 3
Valve Control Circuit Connand Fautta ASEP Generic Data [1]
ECC-A07-FA-Y001B 1.00E-3/D 1.00E-3 LOG NOR 3
Valve Control Circuit Consnand Faulta ASEP Generic Date [1]
ECC-A0V-FT-V001A 1.00E-3/D 1.00E-3 LOG NOR 3
Valve Hardware Faulta ASEP Generie Date [1]
l ECC-A0V-FT-V001B 1.00E-3/D 1.00E-3 LOG NOR 3
Valve Hardware Faulta ASEP Generic Data [1]
ECC-AOC-OC-V001A 1.00E-7/Hr 24Hr 2.40E-6 LOG NOR 3
ADV Fails to Remain Open ASEP Generic Date [1]
i t
4 4
Table 3.5-1.
W ry Date Table, Bau-Prayrietary Version, Cant'd EVENT NME RATE TIME tEAN DIST. TYPE EF (VENT DESCRIPTION NOTES SOURCE ECC-AOC-CC-Y001B 1.00E-7/Br 24Hr 2.40E-6 LOG NOR 3
A07 Fails to Remain Open ASEP Generie Data (1)
ECC-TOV-OC-V002A 1.00E-7/Br 24Hr 2.40E-6 LOG NOR 3
POV Failure to Remain Open ASEP Generic Data (11-ECC-TOV-OC-V0025 1.00E-7/Br 24Hr 2.40E-6 LOG NOR 3
TOV Failure to Remain Open ASEP Generic Data (1)
ECC-TOV-PG-V002A 1.00E-7/Br 18Mo 6.58E-4 LOG NOR 3
POV Failure Due to Plugging (1)
ASEP Generic Data (1)
ECC-TOV-PG-V002B 1.00E-7/Br leMo 6.58E-4 LOG NOR 3
IOV Fe11ure Due to Plugging (1)
ASEP Generic Date [1]
i j
IRT-CKV-CO-MM9 5.00E-7/Br 24Hr 1.20E-5 LOG MOR 10 Chk. Viv. Fails to Remain Closed (7)
IREP (81 IRT-CKV-FT-#NM 1.00E-4/D 1.00E-4 LOG MOR 3
Check Valve Failure to Open ASEP Generie Data (1) i IRT-TOV-OC-V121A 1.00E-7/Br 24Hr 2.40E-6 LOG MOR 3
POV Failure to Remain Open ASEP Generic Date (1)
IRT-TOV-OC-V1215 1.00E-7/Br 24Hr 2.40E-6 LOG NOR 3
107 Failure to Romain Open ASEP Generic Data (1)
IRT-POV-PG-V121A 1.00E-7/Er 18Ho 6.58E-4 LOG NOR 3
10V Pluss while standby (1)
ASEP Generic Data (1) l IRT-POV-PG-V121B 1.00E-7/Hr 18Mo 6.58E-4 IDG MOR 3
POV Plass while standby (1)
ASEP Generic Data (1) w IRT-XVM-CO-V127 1.00E-4/D 1.00E-4 LOG NOR 3
Manuel Velve Fatis to Remain Closed ASEP Generic Data (11 i
LLOCA 3.00E-4/yr 3.00E-4 LOG NOR 3
Large Loss of Coolant Accident Initiator Westinghouse PDR I
LOSP 9.70E-2/yr 9.70E-2 LOG NOR 3
Loss of Off-Site Power Initiator Westinghouse PDR 29H 5.00E-1/D 5.00E-1 POINT EST.
Main Feedwater System Uneveilability Westinshouse PDR ISJOCA 8.00E-4/yr 8.00E-4 LOG NOR 3
Meditsu Loss of Coolant Accident Westinghouse PDR l
Initistor i
NRB-CEV-FT-V007 1.00E-4/D 1.00E-4 LOG NOR 3
Check Valve Failure to Open ASEP Generic Data (1) 4 NRB-CKV-FT-V008A 1.00E-4/D 1.00E-4 LOG NOR 3
Check Valve Failure to Open ASEP Generic Data (1)
NRB-CKV-FT-V008B 1.00E-4/D 1.00E-4 LOG NOR 3
Check Valve Failure to Open ASEP Generic Data (1) j NRH-CKV-FT-V009A 1.00E-4/D 1.00E-4 LOG MOR 3
Check Valve Failure to Open ASEP Generic Data (1]
NRH-CKV-FT-V0095 1.00E-4/D 1.00E-4 LOG NOR 3
Check Valve Failure to Open ASEP Generic Data (1)
L NRH-FLR-PG-A 3.00E-4/D 3.00E-4 LOG NOR 3
Plussins of Flow Restrictor (4)
ASEP Generic Data (1]
t
)
NRB-Ful-PG-B 3.00E-4/D 3.00E-4 LOG NOR 3
Plussins of Flow Restrictor (4)
ASEP Generic Data (1) l NRB-HTX-LK-8001A 3.00E-6/Br 24Hr 7.20E-5 LOG NOR 10 Leek Develope in Operation ASEP Generic Date (1) n
,. - ~. - -..,,,
Tabla 3.5-1.
T
_, Data Tabla, meer-Proprietary Tereton, Cant *d EVENT NAME RATE TIME MEAN DIST. TYPE EF EVENT DESCRIPTION NOTES SOUPIE NRH-HTX-LK-H001B 3.00E-6/Br 24Hr 7.20E-5 LOG NOR 10 Leak Develops in Operation ASEP Generic Data (1)
FRE-HTX-PG-H001A 5.70E-6/Br 24Hr 1.37E-4 LOG NOR 10 Heat Exchanger Fluge in Operation ASEP Generic Data (11 NRH-HTX-PG-H001B 5.70E-6/Br 24Hr 1.37E-4 LCU NOR 10 Heat Exchanger Pluss in Operation ASEP Generic Data (11 NRh-HTX-TM-8001A 8.00E-4/D 8.00E-4 LOG NOR 10 Heat Exch. Unevail. Due to T&M (9)
ASEP Generic Data (11 NRH-HTX-TM-H0015 8.00E-4/D 8.00E-4 LOG NOR 10 Heat Exch. Uneveil. Due to tan (9)
ASEP Generic Date (1)
NRH-HTX-UI-CCWS 3.00E-5 LOG NOR 10 Ceeponent Cooling Water Faults (10)
Surry PRA [4]
NRB-POP-FR-P001A 3.00E-5/Br 24Hr 7.20E-4 LOG NCR 10 POP Failure to Run ASEP Generic Data (1)
NRH-POP-FR-P001B 3.00E-5/Br 24Hr 7.20E-4 LOG NOR 10 MDP Failure to Run ASEP Generie Data [1]
NRR-POP-FS-P001A 4.00E-4/D 4.00E-4 LOG NOR 10 POP Failure to Start ASEP Generic Date (1)
NRR-POP-FS-P001B 4.00E-4/D 4.00E-4 LOG NOR 10 POP Failure to Start ASEP Generic Data (1)
NRH-TOP-TM-P001A 2.00E-3/D 2.00E-3 LOG NOR 10 POP Unevallable due to T&M (Non-Safety)
RMIEP Database (7)
NRB-POP-TM-P001B 2.00E-3/D 2.00E-3 LOG NOR 10 POP Unevailable due to tam (Non-Safety)
RMIEP Database (7]
NRB-MOV-FT-V001A 5.00E-4/D 5.00E-4 LOG NOR 10 207 Fails to Open on Demand ASEP Generic Deta.[1]
NRH-MOV-FT-V001B 5.00E-4/D 5.00E-4 LOG NOR 10 POV Fails to Open on Demand ASEP Generic Data (1)
NRH-POV-TT-V002A 5.00E-4/D 5.00E-4 LOG NOR 10 Nov Fails to open on Demand ASEP Generic Data (1)
NRB-MOV-FT-V002B 5.00E-4/D 5.00E-4 LOG NOR 10 POV Fails to Open on Demand ASEP Generic Date [1]
NRH-MOV-FT-V003 5.00E-4/D 5.00E-4 LOG NOR 10 MOV Fails to Open on Demand ASEP Generic Date [1]
NRH-MOV-FT-V006 5.00E-4/D 5.00E-4 IDG NOR 10 POV Fails to Open on Demand ASEP Generic Data (1)
NRB-MOV-CO-V010 5.00E-7/Br 18Mo 3.29E-3 LOG NOR 10 POV Fails to Remain Closed (1)
ASEP Generic Data (1)
NRB-MDV-OC-Voll 1.00E-7/Br 24Br 2.40E-6 LOG NOR 3
MOV Failure to Remain Open ASEP Generic Date (11 NKB-MOV-00-V011 5.00E-4/D 5.00E-4 LOG NOR 10 Velve Hardware Faults ASEP Generic Data (1)
NRB-MOV-PG-V011 1.00E-7/Br IBMo 6.58E-4 IDG NOR 3
MOV Failure Due to Plugging (1)
ASEP Generic Data (1)
NRH-MOV-RE-V010 3.00E-3 LOG NOR 10 Failure to Restore After Test /Maint.
HRA NRB-POV-TM-V003 8.00E-4/D 8.00E-4 LOG NOR 10 POV Unevellable Due to Test /Maint.
ASEP Generic Data (1) 4 m.
e m
m.
Table 3.5-1.
Sesaaery Data Table Bost-Proprietary Version, Cont'd EVENT NAME RATE TIME MEAN DIST. TTPE EF EVENT DESCRIPTION NOTES SOURCE NRB-MOV-TM-V006 8.00E-4/D 8.00E-4 LOG NOR 10 ffTf Unave11able Due to Test /Maint.
ASEP Generic Data [1]
NRH-XHE-FO-ALGN1 1.25E-1 IDG NOR 5
NRHR Recirculation Alignment & Actuation ERA NRB-XHE-FO-ALGN2 6.10E-2 LOG NOR S
NRHR Inject /Rectre A11grunent & Actuation ERA NRH-XVM-PG-V004A 1.00E-7/Hr leMo 6.58E-4 LOG NOR 3
Manuel Valve Fails Due to Plugging ASEP Generic Data Ill NRH-XVM-PG-V004B 1.00E-7/Br IBMo 6.58E-4 LOG NOR 3
Manuel Velve Fails Due to Plugging ASEP Generic Date [1]
PRB-ACV-FA-V108A 1.00E-3/D 1.00E-3 LOG NOR 3
Velve Control Circuit Coernand Faults ASEP Generic Date [1]
PRB-A0V-FA-V108B 1.00E-3/D 1.00E-3 IDG NOR 3
Valve Control Circuit Comunand Faults ASEP Generic Data [1]
PRB-ACV-FT-V108A 1.00E-3/D 1.00E-3 LOG NOR 3
Velve Hardware Faults ASEP Generic Data (1)
PRB-A0V-FT-V1088 1.00E-3/D 1.00E-3 LOG NOR 3
Velve Hardware Faults ASEP Generic Data [1]
PRH-HTX-LK-HX001 3.00E-6/Br 24Hr 7.20E-5 IJ0G NOR 10 Leakage Occurs During Operation ASEP Generic Data [1]
PRB-HTX-LK-HXOO2 3.00E-6/Br 24Hr 7.20E-5 LOG NOR 10 Leekage Occurs During Operation ASEP Generic Data (1]
g PRH-HTX-LK-HX003 3.00E-6/Br 24Hr 7.20E-5 LOG NOR 10 Leakage Occurs During Operation ASEP Generic Data (11 PRH-HTX-PG-HX001 5.70E-6/Hr 24Hr 1.37E-4 LOG NOR 10 Plugging Occurs During Operation ASEP Generic Data (11 FRM-HTX-PG-HXOO2 5.70E-6/Br 24Hr 1.37E-4 LOG NOR 10 Plugging Occurs During Operation ASEP Generic Date Ill PRH-HTX-PG-HX003 5.70E-6/Br 24Hr 1.37E-4 LOG NOR 10 Plugging Occurs During Operation ASEP Generic Data (1)
PRB-ICC-FA-V108A 2.71E-6/Br 24Hr 6.50E-5 LOG MOR 10 Pnuem. Actuator, Throttling (12)
IEEE-STD-500 (2)
FRB-ICC-FA-V108B 2.71E-6/Br 24He 6.50E-5 LOG NOR 10 Pnues. Actuator Throttling (12)
IEEE-STD-500 [2]
PRH-t07-OC-V101 1.00E-7/Br 24Hr 2.40E-6 LOG NOR 3
MOV Failure to Remain Open ASEP Generie Data (1)
PRB-MOV-PG-V101 1.00E-7/Br 3Mo 1.10E-4 LOG MOR 3
Manuel Valve Pluss (5,13)
ASEP Generic Data (1)
PRH-XVM-PG-V102 1.00E-7/Br 3Mo 1.10E-4 IDG MOR 3
Manuel Valve Pluss (5,13)
ASEP Generic Data Ill FRH-XVM-PG-V103 1.00E-7/Hr 3Mo 1.10E-4 IJ0G NOR 3
Manual Valve Pluss (5,13)
ASEP Generic Date [1]
PRB-XVM-PG-V104 1.00E-7/Br 3Mo 1.10E-4 LOG NOR 3
Manuel valve Pluss (5,13)
ASEP Generic Data (1]
FRH-XVM-PG-V105 1.00E-7/Br 3Mo 1.10E-4 LOG NOR 3
Manual Valve Pluss (5,13)
ASEP Generic Data (1)
PRH-XVM-PG-V106 1.00E-7/Hr 3Mo 1.10E-4 IDG NOR 3
Manuel Valve Plass (5,13)
ASEP Generic Data [1]
Table 3.5-1.
Wey Data Tabla, Ben-Proprietary Vereton, Casut'd EVENT NAPE RATE TITE PEAN DIST. TTPE EF EVENT DESCRIPTION NOTES SOL 1tCE PRB-XVM-PG-V107 1.00E-7/Hr 3Mo 1.10E-4 LOG Nm 3
Manual Valve Pluss (5.13)
ASEP Generic Data til PRB-XVM-PG-V109 1.00E-7/Br 3Mo 1.10E-4 LOG NOR 3
Manuel Valve Plu8s (5,13)
ASEP Generic Data [1]
PRB-XVM-RE-V102 3.00E-4 LOG NOR 10 Failure to Restore After Test /Maint.
HRA PRH-XVM-RE-V103 3.00E-4 LOG NOR 10 Failure to Restore After Test /Maint.
BRA PRB-XVM-RE-V104 3.00E-4 LOG NCR 10 Failure to Restore After Test /Maint.
BRA PRB-XVM-RE-V105 3.00E-4 LOG NOR 10 Failure to Restore After Test /Maint.
HRA PRB-XVM-RE-V106 3.00E-4 LOG NOR 10 Failure to Restore After Test /Maint.
HRA i
PRB-XVM-RE-V107 3.00E-4 LOG NOR 10 Failure to Restore After Test /Meint.
BRA l
RPT 1.00E-4/D 1.00E-4 LOG NOR 5
Reactor Coolant Pump Trip (11)
Grand Gulf PRA [10]
SW-A0V-0C-V255A 1.00E-7/Br 24Hr 2.40E-6 10G NCR 3
ADV Fails to Remain Open (14)
ASEP Generic Data [1]
SW-ACV-0C-V255B 1.00E-7/Br 24Hr 2.40E-6 LOG NOR 3
A07 Fails to Remain Open (14)
ASEP Generic Data [1]
w SW-A0V-TM-V255A 8.00E-4/D 8.00E-4 LOG NOR 10 A0V Unsvallable due to T&M ASEP Generic Data [1]
S W-A0V-TM-V255B 5.00E-4/D 8.00E-4 LOG NOR 10 ADV Unavailable due to T&M ASEP Generic Date [1]
S W-A07-UE-IAS 2.70E-5/D 2.70E-5 LOG NCR 3
Loss of Instrtament Air (16)
Surry p. D-81, [4]
S W-CKV-FT-V052 1.03E-4/D 1.00E-4 LOG NOR 3
Check Valve Failure to open ASEP Generic Data [1]
S W-CKV-TT-V058A 1.00E-4/D 1.00E-4 LOG NOR 3
Check Valve Failure to Open ASEP Generic Data (1)
SW-CKV-FT-V058B 1.00E-4/D 1.00E-4 LOG MOR 3
Check Valve Failure to Open ASEP Generic Data [1]
i S W-hDP-FA-P002 2.50E-3/D 2.50E-3 LOG NOR 10 Control Circuit Corunand Faults ASEP Generic Data Ill SFW-TOP-FS-P002A 4.00E-4/D 4.00E-4 LOG NOR 10 MDP Fails to Start ASEP Generic Data til S N-MDP-FS-P002B 4.00E-4/D 4.00E-4 LOG MOR 10 POP Falls to Start ASEP Generic Data [1]
SFW-POP-TM-P002A 2.00E-3/D 2.00E-3 LOG MOR 10 POP Unavailable due to T&M (Non-Safety)
RMIEP Database [7]
SFW-f0P-TM-P0028 2.00E-3/D 2.00E-3 LOG NCR 10 POP Unavailable due to T&M (Non-Safety)
RMIEP Database [7]
SFW-TNK-UE-SPPLT 2.70E-6/D 2.70E-6 LOG NCR 10 Tank Water Supply Insufficient (3)
Surry PRA [4]
S W-XVM-PG-V025 1.00E-7/Br 18Mo 5.58E-4 LOG NCR 3
Manual Viv. Fall. Due to Fluaging (1)
ASEP Generic Data (1) 1 1
l
Table 3.5-1.
Wry Data Table, mass-Proprietary Versina, Cont'd EVENT NME RATE TIME MEAN DIST. TYPE EF EVENT DESCRIPTION NOTES SOURCE SW-XVM-PG-YO26 1.00E-7/Hr 18Mo 6.58E-4 LOG NOR 3
Manual Viv. Fall. Due to Plugging (1)
ASEP Generic Data [1]
SW-XVM-PG-VQ29 1.00E-7/Er 18Mo 6.56E-4 LOG NOR 3
Manual Viv. Fail. Due to Plugging (1)
ASEP Generic Data [1]
SW-XVM-lU-V031 1.00E-7/Br 18Mo 6.58E-4 LOG NOR 3
Manual Viv. Fail. Due to Plugging (1)
ASEP Generic Date [1]
SW-XVM-PG-V032 1.00E-7/Br 18Mo 6.58E-4 LOG NOR 3
Manuel Viv. Fail. Due to Plugging (1)
ASEP Generic Data [1]
S W-XVM-PG-V053 1.00E-7/Br 18Mo 6.58E-4 LOG NOR 3
Manual Viv. Fail. Due to Plugging (1)
ASEP Generic Data [1]
SGTR 3.60E-3/yr 3.60E-3 LOG NOR 3
Steam Generator Tube Rupture Initiator Westinghouse PDR SLOCA 3.00E-3/yr 3.00E-3 LOG NOR 3
Small Loss of Coolant Accident Initiator Westinghouse PDR SMP-CCF-PG-SLNP 7.20E-3 LOG NOR 10 Strainer / Filter Plugged IREP (8) i SMP-CKV-CO-MMf 5.00E-7/Hr 24Hr 1.20E-5 LOG NOR 10 Chk. Viv. Fails to Remain Closed (7)
IREP [8]
SMP-CKV-FT-M9M 1.00E-4/D 1.00E-4 LOG NOR 3
Check Valve Teilure to Open ASEP Generic Data [1]
w b
SMP-MOV-CO-M9M 5.00E-7/Br 24Fr 1.20E-5 LOG NOR 10 MOV Fails to Remain Closed (1)
ASEP Geoeric Date [1]
V SMP-MOV-FA-M9M 2.50E-3/D 2.50E-3 LOG NOR 10 No Actuation Signal to MWs #NM (15)
ASEP Generic Data [1]
SMP-TOV-FT-MM9 5.00E-4/D 5.00E-4 LOG NOR 10 107 Fails to Open on Demand ASEP Generic Data Ill t
DNF 6.50E+0/yr 6.50E+0 LOG NCR 3
Transient With Main Feedwater Initiator Westinghouse PDR IWOMF 5.70E-1/yr 5.70E-1 LOG MOR 3
Trensient Without Main Feedwater Westinghouse PDR Initiator l
WRC-DOV-FA-MMf 2.50E-3/D 2.50E-3 LOG NOR 10 No Actuation Signal to IOva M9M (15)
ASEP Generic Data (11 l
WRC-lOV-FT-MfM 5.00E-4/D 5.00E-4 LOG NOR 10 107 Fails to Close on Demand ASEP Generic Data [1]
i f
Tabla 3.5-1.
Sg Data Tabla. Non-Prayrietary Vereias, Comt'd Notes to Table 3.5-1 MMf - Indicates some of the places where information was removed because of its potentially proprietary nature. Table P4-1 in the Proprietary Appendicos to this report (Vol. 2) contains the full dets listing for the analysis.
(1)
Uneve11 ability is calculated using 1/2 of the maintenance interval, which is asstuned to be once per refueling cycle (18 Months).
(2)
Asstume same as tank external rupture (water or steam working fluid) in Generic Component Failure Data Base for Light Water and Liquid Sodium Reactor PRAs.
(3)
The NUREG/CR-4550 Surry PRA (4) assigns a value of 2.7E-6 to R;rI-TNK-LF-RWST (insufficient flow ave 11able from RWST) and 1.00E-6 to AFW-TNK-YF-CST :
(insufficient flow from 10,000 gallon CST).
(4)
Used value for orifice plugging.
(5)
Unavailability is calculated using 1/2 of the surveillance interval, which is asstased to be once per calendar quarter.
(5)
The MOV that is located upstream of this valve is required to change position when actuated and is tested quarterly. Therefore, it is assumed that any plugging of this MDV will be detected during the test.
(7). Check valve fails due to catastrophic internal leakage during its orposure time.
(8)
Assume same as Plugging of Orifice as listed in ASEP.
(9)
Although ASEP recommends a value of 3E-5/Br for the unavailability of heat exchangers due to test and mainteiance, it was decided that tho' value for manual valves is a more representative number.
(10) This value is based on quantification of a similar heat removal system in the Surry PRA.
Specifically, the fault tree for the Surry Component Cooling Water System evaluates to 3.00E-5.
(11) Estimate of the Reactor Coolant Pump Trip event is based on the Recirculation Ptssp Trip event used in the Grand Gulf 1150 PRA. The estimated value is 1E-4/ demand, as listed in Table 4.9-27 of (101.
(12) The valves V108A&B are normally closed and intended to control the flow of coolant through the system. A failure rate of 2.71E-6 is asstaaed during their mission time. This value was taken from IEEE-STD-500 (Chapter 8).
For these pnetmaatic actuators, failure rates very depending on the type of actuator (e.g., double acting piston, diaphragm, etc.).
Since, at this stage of AP-600 design, the specific type of the valves is unknown, the reconsnended failure rate for pnetssatic actuators (which represents the highest failure rate) for throttling service was selected for this study.
3 (13) Downstream AOVs (V108A&B) are required to change position when actuated and are tested quarterly. Therefore, it is asstamed that any plugging of these valves will be detected during the tests, (14) Asstune same as ASEP " Spurious Closure."
(15) Assume same as ASEP " Valve Control Circuit Ceassend Faults."
(16) This event is assumed to be the same as total loss of instrtament air in the Surry PRA (41.
i
Table 3.5-1 Referescos
[1]
D. M. Ericson, ed.,
" Analysis of Core Damage Frequency: Internal Events Methodology," NUREG/CR-4550, 5AND66-2084 Vol. 1, Sandia National Laboratories, Albuquerque, M. January,1990.
(2)
"IEEE Guide to Collection and Presentation of Electrical, Electronic, and Sensing Component Reliability Data for Nuclear Power Generating Stations," -
IEEE-STD-500 The Institute of Electrical and Electronics Engineers. Inc., New York, NT,1977.
[3]
- 5. A. Eide, et al., " Generic Component Failure Data Base for Light Water and Liquid Sodisse Reactor PRAs" (Informal Report), BGG-SSRE-8875 EGLS Idaho, Inc., Idaho Falls, ID, February 1990.
(4)
R. C. Bertucio and J. A. Julius, " Analysis of Core Damage Frequency for surry Unit 1 Internal Events," NUREG/CR-4550, SAND 86-2004, Vol. 3, April 1990.
[5] Not used for Volsene 1 (non proprietary version) data table.
[6]
J. A. Steverson and C. L. Atwood "Cczemon Cause Fault Rates for Valves " NUREG/CR-2770 (1983).'
l
[7]
T. A. Wheeler, et al., " Analysis of the Lassile Unit 2 Nuclear Power Plant: Risk Methods Integration and Evaluation Program," NUREG/CR-4832 SAND 87-7157 Vol. 5. October 1990.
[8]
D. D. Carlson, et al., " Interim Reliability Evaluation Program Procedures Guide," NUREG/CR-2728, 5AND82-1100, January 1983.
[9]
Not used for Voltano 1 (non proprietary version) data table, ee 110}
M. T. Drouin, et al., " Analysis of Core Danese Frequency: Grand Gulf Unit 1 Internal Events," NUREG/CR-4550, 5A1586-2084, Vol. 5, Rev.1, Part 1, Sandia National Laboratories, Albuquerque, M, September 1989.
j I
i
_______m
3.6 Base Case Ouantification and Sensitivity Calculations Section 3.6 discusses the results of the sequence-level component failure calculations, for both the base esse (derived from Westinghouse success criteria) cnd for varying success criteria assumptions. The base-case calculations provide o best-estimate for the core damage frequency (CDF) and uncertainty for component feilures, considering only the emergency cooling function.
Sensitivity eniculations evaluate differing success criteria, generally more restrictive relative to the base case.
These calculations provide a measure of the 1: portance of a particular passive system, and therefore its associated natural processes, in terms of change in CDF. This will aid in the selection of natural process uncertainties for further analysis in the next phase of the program.
Sections 2.2.2 and 2.2.3 discuss the methodology applied in these quantification tasks.
The calculations discussed in this section were performed using 1RRAS version 2.6
[32).
The base case calculations involved using the fault and event trees described in Sections 3.3 and 3.4 and proprietary Appendices P1, P2 and P3, as well as the data analysis (including human reliability and common cause failure analyses) presented in Section 3.5 and Appendix P4.
Modifications to the base-case fault and event trees were made for the sensitivity calculations. These are i
described further in Section 3.6.2.
In each of the base and sensitivity cases, seven initiators were evaluated:
transients with and without main feedwater (TWMF and TWOMF); loss of off-site power (LOSP); small, medium and large loss of coolant accidents (SLOCA, MLOCA and LLOCA), and steam generator tube rupture (SGTR).
A truncation on sequence frequency of lE-15/yr was employed in most cases; occasionally, calculational constraints demanded a sequence truncation value of IE-11/yr to lE-14/yr. The calculations applied no truncation. level on cuc set size or frequency.
Truncation levels this low are not considered necessary, since overall core damage frequency for the emergency cooling function base case is on the order of 3E-6/yr. These levels were possible because of the size of the problem, however, and should reduce concern over the core damage frequency contribution neglected due to truncation.
1 All figures for this section are located at the end of Section 3.6.
3.6.1 Base Case Calculations As sentioned above, the base case calculations utilized the fault and event tree models described in Sections 3.3 and 3.4 (and associated proprietary appendices).
" Base case" refers to calculations using success criteria which are based to the extent possible on the success criteria formulated by Westinghouse in their previous AP600 probabilistic risk analyses.
This encompasses information collected through July 1991 on the evolving AP600 design.
The Westinghouse success criteria were utilized because thermal-hydraulic calculations to support development of success criteria were deemed to be outside the scope of Phase 1 of this study. The base-case success criteria simply form a starting point from which to investigate the possibility that more restrictive success criteria apply i
due to uncertainties in the natural processes.
3-97
Using these base-case success criteria and the data of Section 3.5, a best estimate for the core damage frequency associated with the emergency cooling and decay heat removal (ECC/DHR) functions for the AP600 has been calculated. Also calculated was a representation of the uncertainty associated with this estimate, resulting from the distributions assigned to component and operator-related 1
events (see Section 3.5).
(This uncertainty does not reflect the uncertainty in passive system natural processes, which will be addressed in Phases 2 and 3 of this program.)
j 3.6.1.1 Results of Base Case Calculations Table 3.6-1 presents the results of the base case calculations, by initiator.
The initiators are listed in decreasing order of contribution to the total CDF.
The base case calculations yielded an overall point estimate of 3.59E-6/yr. Note that this is for the ECC/DHR functions only; no reactivity control is considered.
This compares with a previously reported Westinghouse value of 1.25E-6/yr in a preliminary analysis (1989), which was based on an earlier version of the AP600 design and included reactivity control considerations. As can be seen from Table 3.6-1, small LOCAs contribute a great deal, over 68 percent, to the total CDF.
All LOCAs taken together contribute over 95 percent.
The analysis included only internal initiators occurring during full power operation. Low power and shutdown modes of operation are outside the scope of the current study. The analysis was carried out to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after reactor trip.
No operator recovery analysis was performed.
It should be emphasized that the results are based on a design current as of July 1991; changes to the design have occurred to date which could substantially affect these results.
The uncertainty calculation results for the base case are presented in Table 3.6-2.
Latin hypercube sampling was performed using a sample size of 1000.
Full uncertainty distribution correlation among like basic events was employed.
A mean value of 3.86E-6/yr resulted, with 5.86E-7 and 1.15E-5 as fifth and ninety-fifth percentiles, respectively.
Figure 3.6-1 provides a depiction of the cumulative distribution function for the base case, emergency cooling function core damage frequency.
3.6.1.2 Less Restrictive Success Criteria Sensitivity Calculations As discussed in the event tree section of this document (Section 3.4), two less restrictive success criteria c'ases were considered versus the base-case success criteria. The purpose of this effort was to develop some insight as to the level of conservatism associated with the base-case success assumptions. The two less restrictive cases were selected based on the judgement that they were among the more plausible and realistic possibilities for relaxing the success criteria.
The affected sequences are denoted TBD-1 and TBD-2 on the event trees.
TBD-1 generally involves taking credit for the sump injection lines, as a backup for the water recirculation /IRWST injection combination required by base-case success criteria. Another possibility for less restrictive success criteria involves the use of the normal residual heat removal (NRHR) system, first in the IRWST injection / recirculation mode, then realigning the system to perform its alternate RCS recirculation mode.
This involves two distinct sets of operator diagnosis / actions, and is thought to be less valid than TBD-1.
3-98
Tcble 3.6-3 provides the results of the calculations for these alternate, less restrictive success assumptions.
The first case considers TBD-1 sequences as cuccesses, instead of core damage contributions as was done for the base case.
The second case considers both T8D-1 and TBD-2 sequences as success outcomes, As can be seen from this table, a 43% decrease in ECC/DHR functional CDF occurs fcr the first case, to 2.06E-6/yr. Removing the TBD-2 sequences from the CDF has no measurable effect. The CDF decrease for the TBD-1 case results can be thought cf as a measure of some conservatism in the base case success criteria ccsumptions.
The possibility of more restrictive success criteria is investigated in Section 3.6.2.
3.6.1.3 Base Case Importance Calculations A cummary of base case importance measures as calculated by IRRAS is provided in Appendix PS.
The listing includes primarily basic events such as component failure and human error events, but also includes some higher-level events that cppear in the event trees but were not quantified using a fault tree. Examples of such higher level events are the smart break LOCA conditional probability svent and the main feedwater system reliability estimate.
These events are corted by Fussell-Vesley importance, and the listing also includes the risk reduction and risk increase ratio. The ten highest ranked events are discussed in the remainder of this section.
Oparator alignment of NRHR for the RCS recirculation mode (NRH-XHE-FO ALEN1) is tha most important event, both by Fussell-Vesley and by risk reduction ratio.
Oparator alignment for the other mode of NRHR, IRWST injection / recirculation, shows up sixth.
As was discussed in Section 3.5.4, the human reliability enslysis performed for this study was somewhat simplified and conservative, so th t these event may be artificially dominating the results.
However, the cultiple separate actions which are involved for each of these operator actions would likely result in a relatively high human error probability regardless of thz method of analysis.
It is interesting that a non-safety backup system is represented in four of the top ten events (the other two are discussed below).
None of the events has a significantly large risk increase ratio relative to most other events.
These ovsnts are probably more appropriately examined from a risk reduction parspective.
The method for alignment of NRHR is an area which might deserve cttention, because of this potential for CDF improvement.
Tha Containment Integrity (CI) and Main Feedwater events appear second and fifth in the-listing, respectively. These are estimates for top events in the event trces.
As such, they essentially are equivalent to conglomerations of basic cvants, and thus are not on equal footing with the remainder of the basic events in the list. Much less attention should therefore be directed at these events.
A water recirculation (WRC) event appears third. This event is a common-cause type valve actuation failure, and as such was a conservative way to model cetuation failure for URC. In addition, the WRC system itself is thought to have been conservatively represented in the base-case event trees, such that sump injection cannot be used af ter failure of WRC (see discussion of TBD-1 in the previous section). Each of these considerations may explain to some extent the 3-99
event's high importance ranking. Further reducing the event's actual importance is that recovery of the system may be likely (recovery analysis was not within the scope of this study).
However, the event does have a rather largs risk increase potential, at least for the base-case AP600 model.
The fourth event represents failure of the operator to initiate feed-and-bleed cooling by manually actuating the depressurization (DEP) system and the CMTs.
This event appears in cut sets for both transient and LOCA trees. The appearance of this event as important appears justified, based on its relatively high failure probability, as well as the high number of occurrences reported for the event (10,849).
The seventh and eighth most important events involve two failure modes of a particular NRHR MOV.
The valve fault is involved in a diversion event, where fluid meant for the RCS is directed to the IRUST. This sort of failure of the system is considered less important because it is certainly recoverable (along with the fluid directed to the IRWST).
The ninth event in the importance listing involves common-cause failure of the fourth stage depressurization system valves.
This event is considered significant because it is associated with a high risk increase ratio.
The depressurization system itself is very important for small and medium LOCA response, and is also called upon for feed-and-bleed cooling as a backup to front-line transient response systems.
The tenth event involves the human action of steam generator isolation (SGI).
Although the risk increase ratio for this event is unimpressive, the event is nonetheless considered significant. Without SGI, what otherwise would have been a transient must be dealt with as a IDCA, under the more restrictive LOCA success
)
criteria.
l Other events of note on the importance listing are PRHR events (13th through 15th) with very large risk increase ratios. Although the PRHR is used only in response to transients after failure of non-safety active systems, the system still shows up as important. Possible reasoning for this is the high frequencies of transients relative to IDCAs, coupled with relatively large main and startup feedwater system unavailabilities (non-safety active systems). Other important events involve CMT valve failures, plugging of IRWST suction valves, common-cause failure of IRWST inj ection valves, and common-cause valve failures for the various stages of the depressurization system.
3.6.2 Sensitivity calculations The approach to the success criteria sensitivity calculations was discussed in Section 2.2.3 of the methodology section.
Some of that discussion is repeated here for clarity.
One of the main questions being posed in this study involves uncertainty in the success criteria due to uncertainty in the natural processes governing passive system operation. One can examine cases where the components of a passive system have functioned according to " base-case" system success criteria, e.g.,
the proper combination of valves have changed state.
If inadequate flow or heat removal is realized due to uncertainties in the various natural processes 3-100
involved in the system's operation, then a more restrictive set of success criteria applies.
For example, say one or two out of three heat exchangers in the PRHR system are n2cessary according to base-case success criteria. However, if a greater-than-expected flow loss coefficient applies due to corrosive processes or other uncertainties in the natural circulation loop, the flow in the loop may be inadequate to remove core heat.
Perhaps three of three heat exchangers are required in this case to generate a great enough temperature differential and provide a greater fluid driving force.
In order to examine the change in the point-estimate (comporent-related) CDF with changes in the success criteria assumptions, several calculations have been parformed for differing, more restrictive success criteria.
Three different types of sensitivity calculations were investigated:
(1) within-system success criteria sensitivities (e.g., requiring two of two instead of one of two core makeup tanks);
(2) cross-system success criteria sensitivities (i.e., postulating that after success of one passive system, which normally leads directly to a success sequence for the base case, another passive system is required in order to avert core damage); and (3) passive system importance (here, whether the system components function properly or not, the failure branch of the event tree is followed.
This is discussed further in the following paragraph.)
As discussed in Section 2.2.3, the first and second groups address the effect of degraded passive system performance. That is, the system operates at a level of effectiveness not adequate to prevent core damage alone, and requires either an cdditional train of the same system, or another system operating in concert, to evert CD.
The third group deals with cases where the passive system components function according to base case success criteria, but the natural processes are completely ineffective.
This represents failure of the passive system, and is j
investigated by assigning the system a failure probability of 1.0 in the event tree.
j 1
l These three cases are discussed in turn in the next three subsections. Some of tha supporting information for the subsections is contained in proprietary Appendix P6.
3.6.2.1 Within-System Success Criteria Sensitivities For the within-system success criteria sensitivities, the passive systems which 4
are part of the base-case calculations were examined.
This involved assuming tore restrictive, train-level success criteria (i.e. assuming more trains were required than were for the base case), forming the following five cases:
la) PRRR lb) CMTs Ic) ACCs Ibc) CMT/ACC (both systems changed) id) IRWST Injection 3-101
l Table P6-1 in proprietary appendix P6 specifies the actual success criteria investigated for each of these systems.
The other passive systems, sump injection (SMP) and external containment heat removal (ECC), were not evaluated because they are not included in the base case success criteria.
SMP and ECC were considered as part of the second group of success assumption sensitivities, described in the next subsection.
For each of these cases, the fault trees and common-cause event values were modified, and the event tree logic kept essentially the same.
The event tree logic was simplified somewhat by eliminating the TBD-2's from the tree.
This speeded the calculations but did not change the base case results, based on a test run with the simplified tree.
This allowed direct comparison to the base case calculations reported in the previous section (3.6.1). A comparison to the base case for these and the second group of success criteria sensitivities is presented in Table 3.6-4.
The results for the first group of sensitivity calculations are compiled by initiator in Table 3.6-5.
Case la involved changing the fault tree to represent the more restrictive success criteria for the PRHR system, which resulted in an increase of about an order of magnitude in the PRHR system unavailability.
The point-estimate CDF calculated as a result of this change represents an increase over the base case CDF of a factor of 1.3.
A shift to higher percentage contributions for the transients is realized, as would be expected since the PRHR is only used in response to transient initiators.
For Case Ib, the CMT success criteria was changed to two of two tanks in all cases.
This involved changing the fault tree top gate and adjusting several common cause events. Also, the one-of-one success criteria tree which applies after a smart break MCA was set to failure since one CMT would not be enough for this sensitivity case.
Essentially the same approach just described for CMT applies to ACC, Case ic, as well. The CMT1 system unavailability increased by a factor of 20, and ACC by a factor of 80. The CDF increases a factor of 2.4 for the CMT case, and 1.4 for the ACCs. Both cases result in a shift in contribution to the CDP to the large MCA initiator.
Case lbc utilized the base case event tree, and the fault and data modifications described in the previous paragraph for both CMT and ACC. The resulting change in CDF was the greatest of all the group one cases:
two orders of magnitude.
One should expect a change this large, because these two systems are the only means of high pressure injection following a MCA; depressurization is required if these systems fail.
The SLOCA and MMCA CDFs increased dramatically, acquiring over 99% of the total CDF for this case.
Case ld examined the sensitivity of the CDF results to a change in the IRUST injection (IRT) criteria for the injection lines. Again, this involved a change in the top gate of the IRWST fault tree, and an adjustment of a common cause event.
The change resulted in a factor of 20 increase in IRT system unavailability, and an order of magnitude increase in the CDF over the base case.
An increase was realized for all initiators, but particularly for the MCA initiators.
This can be attributed to the fact that IRT serves as a kind of
" backup" system for the transients, secondary to SFW and PRHR, whereas it is a front-line long term cooling system for the MCA initiators.
3-102
3.6.2.2 Cross-System and Combined Within-System Success Criteria Sensitivities In this section, the results of the cross-system success criteria sensitivities are discussed, along with the results of the cases which included both cross-and within-system changes.
The calculations for the cross-system cases involved changing the structure of the event trees, and using the base case fault trees and data for each of the passive systems.
Additional calculations were then performed using the modified event trees, and the altered fault trees and data changes that were investigated in cases la through id, described in Section 3.6.2.1.
The cases investigated are described in Table P6-1 of Appendix P6, and are presented in general terms below:
2a) PRHR: requiring various combinations of Containment Integrity (CI), ECC, and WRC in addition to PRHR 2bc) CMT/ACC:
changing the combinations of CMT and ACC required (so that they are more restrictive) 2d) IRT:
for IACAs and transients, requiring various combinations of ECC and SMP in addition to IRT (WRC is already part of the base-case criteria)
These sensitivity cases were identified based on an examination of the event tree structure for each initiator and passive system, and judgement as to which cases appeared credible. The combined cases for the within-system success criteria are somewhat self-explanatory:
la/2a)
Case 2a cross-system variations, with the more restrictive system-level PRHR criteria of Case la lbc/2bc) Changing the combinations of CMT and ACC required, as well as including the system-level success criteria of Case 2bc id/2d)
Case 2d cross-system variations, with the Case ld system-level requirements In order to illustrate the changes to the event trees for Cases 2a through 2d, the steam generator tube rupture (SGTR) event tree is presented for each case in Appendix P6.
The trees are also discusses briefly in this appendix. The SGTR tree contains characteristics of both transient and LOCA trees. The results for each of the cases are discussed in the following paragraphs.
Cases 2a and la/2a.
The modified SGTR event tree for Case 2a is shown in Figure P6-2 of Appendix P6. Additional branches have been added to the tree to represent the use of various combinations of CI, ECC, and WRC after success of PRHR. These result in various new sequences, with letter designators dependent upon which systems have succeeded. For example, PCE indicates that PRHR, CI, and ECC have succeeded, but WRC has failed.
Looking at the three systems evaluated, all could be postulated to be required for longer-term operation of PRHR.
In this mode, the fluid in the IRWST has begun boiling off, after receiving heat from the RCS through the PRHR heat exchangers for a period of time.
The steam from the IRWST escapes to the containment atmosphere, condenses on the inside containment shell (the reason why ECC and CI might be needed).
It then drains back to the IRWST (reason for WRC requirement) to continue cooling the PRHR heat exchangers.
3-103
Table 3.6-6 presents the results of the cases 2a and la/2a sensitivity calculations. The four "subcases" in the table, one for each column, are defined in terms of grouped sequences, as follows:
Subcase 1:
This represents the possibility that all three systems are needed in addition to PRHR.
Subcase 11:
This corresponds to the need for CI and WRC, but not ECC.
Subcase 111: Here, only WRC is required to operate in addition to PRHR.
Subcase iv:
CI is required in this case; ECC and WRC are not.
As is apparent, subcase (1)'is the most restrictive set of alternate success criteria, resulting in a factor of 58 increase over the base case CDF.
The results for subcases (i) and (ii) are essentially equivalent, as can be seen from Table 3.6-6.
This indicates that the results are not sensitive to requiring ECC, which is expected due to the very low failure probability for ECC (around 6E-7).
The results are about halved when CI is no longer required (subcase iii), and when WRC is no longer required. These two are of about equal importance relative to the base case, at around a 25 times higher CDF.
For all of these cases, addirg the PRHR Case (la) success criteria has an almost negligible effect.
Cases 2bc and 1bc/2bc. Figure P6-3 presents the modified SGTR event tree for Cases 2bc and 1bc/2bc. The results of the calculations appear in Tables 3.6-4 and 3. 6-7.
As can be seen in Table 3.6-4, this change has a rather small overall effect on CDF, because of the relatively low failure probability for each system.
Only when the Case ibc system success requirements are added does the change become significant, the highest of any of the sensitivity calculations.
[
t Cases 2d and 1d/2d. The SGTR event tree for this casa is presented in Figure P6-4.
This case involves investigating the effect of requiring ECC or SMP in addition to IRWST injection / recirculation. WRC and CI are already required for the base case.
Both of these additional systems are of interest for the long term recirculation mode of IRT.
ECC may be required to enhance heat removal through the containment shell, and thus promote condensation of the fluid which escapes the RCS to the containment atmosphere in the form of steam. This fluid drains down the interior of the containment shell, and should return to the IRWST if WRC operates successfully. Even with successful WRC operation, the return of fluid to the IRWST may not be 100%, with some draining via alternate route to the sump.
Therefore, sump injection may be required at some point in time after initial functioning of the IRWST recirculation process.
As for Cases 2a and la/2a (see discussion above), calculations were performed for several subcases:
Subcase 1:
This represents the requirement that all the above mentioned systems must operate in addition to IRT injection, to avert CD.
Subcase 11:
CI, WRC, and ECC are necessary, but not SMP.
Subcase 111:
CI, WRC and SMP are required, but not ECC.
The results for these subcases are presented in Table 3.6-8.
As for Cases 2a and la/2a, the subcases with and without ECC show equivalent results. Again, ECC does not impact the results due to its low failure probability. Requiring sump injection increases the results by a factor of two.
3-104
I l-i l
The combined sensitivity, Case id/2d, not only required the more restrictive C se ld success criteria for the IRWST injection lines, but also required more cump injection lines, since IRT and SMP share injection paths.
The SMP fault trce was modified in addition to the IRT tree for this sensitivity. This results in an order of magnitude increase in CDF, with SMP required.
3.6.2.3 Passive System Importance Tha final set of more restrictive success assumption sensitivities is based on cxamining the change in CDF if a passive system is totally ineffective, whether or not the components have functioned according to system success criteria. As diccussed above, this fully degraded performance could result from decreased effectiveness of the natural process which provides the driving force for the cyatem.
To calculate this measure of the importance of a passive system, the failure path represented on the event tree must be followed after both success cnd failure of the passive system. This is equivalent to eliminating the passive cyctem success path from the event tree, so that no branch appears for the p2csive system of interest.
This calculation was performed for each of the following systems: PRHR, IRT, WRC, ACC, and CMT. Note that SMP and ECC result in the same value as the base case, since no credit was taken for these systems in the base-case success criteria.
T:ble 3.6-9 shows the overall CDF results for each of these cases.
The result for all the systems is an increase of about two orders of magnitude in CDF. From this table, WRC appears most important.
Since WRC was treated in a somewhat conservative manner (see Section 3.3.4.12), the relative increase could be even grsater when starting from a more realistic model for the system. However, it is felt that this result is driven by the conse rvative base-case success aczumption that SMP is not used after failure of WRC. In addition, WRC could in come ways be considered a subset of the IRWST/SMP recirculation mode.
Of the remaining systems, PRHR, used in response to transients, is highest. This prcbably due to a combination of high transient frequencies and high active startup and main feedwater system unavailabilities. PRHR is called upon after failure of these feedwater systems.
IRT and CMT follow, with ACC of lowest itportance of the passive systems examined.
Bscause of the close ranking among these systems, the selection of passive ayatems for further analysis should be based on a combination of the sensitivity calculation results from this section (3.6.2), and qualitative information from tha system-level qualitative analysis described in Section 3.2.
Selection of the epscific passive systems to be analyzed in the natural process assessment phase will also depend on thermal-hydraulic modeling considerations.
3-105
1 Figure 3.6-1.
Base Case Cumulative Distribution to current 0.8 i
O.8 g
o O
y y
0.4
?
o2 j
i i
O.0
' g4 g4 ECC/DHR FuniYonal Core Damage Frequency-10E-07 t
4 1
e.
\\
\\
TABLE 3.6-1.
Base Case Point Estimate Results.
CDF [/yr)
Percent Contribution (Emergency Cooling Function only)
SLOCA 2.46E-06 68.56 MLOCA 6.52E-07 18.16 LLOCA 3.02E-07 8.41 SGTR 4.99E-08 1.39 TWMF 1.01E-07 2.80 TWOMF 1.77E-08 0.49 LOSP 6.97E-09 0.19 Total 3.59E-06 100.00 TABLE 3.6-2. Latin Hypercube Uncertainty Results for Base Case, i
(Emergency Cooling Function Only, Full Correlation Applied)
Sample Size 1000 Point Estimate 3.594E-006 Mean Value 3.468E-006 Sth Percentile Value 5.937E-007 l
Median Value 1.912E-006 i
95th Percentile Value 1.120E-005 Minimum Sample Value 1.620E-007 i
Maximum Sample Value 5.039E-005 Standard Deviation 4.867E-006 Skewness 4.720E+000 Kurtosis 3.376E+001
-l 3-107
TABLE 3.6-3 Base Case Emergency Cooling Function CDFs for Less Conservative Success Criteria Assumptions.
Base Case Base Case Base Case w/out TBD-1 w/out TBD-1
& TBD-2 SIDCA 2.46E-06 1.36E-06 1.36E-06 MIDCA 6.52E-07 3.5BE-07 3.58E-07 I.IDCA 3.02E-07 1.92E-07 1.92E-07 SGTR 4.99E-08 2.74E-08 2.74E-08 TWMF 1.01E-07 9.70E-08 9.70E-08 TWOMF 1.77E-08 1.70E-08 1.70E-08 IDSP 6.97E-09 6.19E-09 6.19E-09 Total 3.59E-06 2.06E-06 2.06E-06 Note:
TBD-1 and TBD-2 refer to sequence outcomes with slightly less restrictive success criteria than the base-case success criteria.
See explanation in Section 3.6.1.2.
3-108
TABLE 3.6-4. Comparicon of More Rsatrictivo Sucesas Critcrin SInsitivity Calculctions R310tiva to Baso Ca.70.
Sensitivity Case Total SMCA MLOCA LMCA SGTR TWMF TWOMF IDSP Base 3.59E-06 2.46E-06 6.52E-07 3.02E-07 4.99E-08 1.01E-07 1.77E-08 6.97E-09 mammm mmmmmmm-la 4.76E-06 2.46E-06 6.52E-07 3.02E-07 5.09E-08 1.04E-06 1.83E-07 7.22E-08 (1.33)
(1.00)
(1.00)
(1.00)
(1.02)
(10.30)
(10.34)
(10.36) lb 8.81E-06 5.53E-06 1.47E-06 1.63E-06 5.26E-08 1.01E-07 1.77E-08 6.98E-09 (2.45)
(2.25)
(2.25)
(5.40)
(1.05)
(1.00)
(1.00)
(1.00)
Ic 5.02E-06 3.19E-06 8.38E-07 8.13E-07 4.99E-08 1.01E-07 1.77E-08 6.97E-09 (1.40)
(1.30)
(1.28)
(2.69)
(1.00)
(1.00)
(1.00)
(1.00) id 3.66E-05 2.85E-05 7.59E-06 3.41E-07 5.76E-08 1.02E-07 1.79E-08 7.40E-09 (10.19)
(11.58)
(11.64)
(1.13)
(1.15)
(1.01)
(1.01)
(1.06)
Y lb/lc 3.89E-04 3.05E-04 8.14E-05 2.14E-06 5.33E-08 1.01E-07 1.77E-08 3.68E-09
{
(108.36)
(123.98)
(124.85)
(7.09)
(1.07)
(1.00)
(1.00)
(0.53) 2a 2.08E-04 2.46E-06 6.52E-07 3.02E-07 2.30E-07 1.66E-04 2.91E-05 9.28E-06 (subcase 1)
(57.94)
(1.00)
(1.00)
(1.00)
(4.61)
(1643.56)
(1644.07)
(1331.42) 2bc 5.86E-06 4.30E-06 1.06E-06 3.02E-07 6.93E-08 1.03E-07 1.81E-08 7.10E-09 (1.63)
(1.75)
(1.63)
(1.00)
(1.39)
(1.02)
(1.02)
(1.02) 2d 8.00E-06 5.63E-06 1.50E-06 6.19E-07 1.15E-07 1.12E-07 1.96E-08 9.22E-09 (subcase 1)
(2.23)
(2.29)
(2.30)
(2.05)
(2.30)
(1.11)
(1.11)
(1.32) la/2a 2.09E-04 2.46E-06 6.52E-07 3.02E-07 2.31E-07 1.67E-04 2.93E-05 9.34E-06 (subcase 1)
(58.22)
(1.00)
(1.00)
(1.00)
(4.63)
(1653.46)
(1655.37)
(1340.03) lbc/2bc 4.08E-04 3.20E-04 8.52E-05 2.14E-06 4.46E-07 1.66E-07 2.91E-08 1.06E-08 (113.65)
(130.08)
(130.67)
(7.09)
(8.94)
(1.64)
(1.64)
(1.52) id/2d 4.06E-05 3.13E-05 8.35E-06 6.58E-07 1.22E-07 1.13E-07 1.98E-08 9.65E-09 (subcase 1)
(11.31)
(12.72)
(12.81)
(2.18)
(2.44)
(1.12)
(1.12)
(1.38)
I m
___a
TABLE 3.6-5.
Sensitivity Calculations for Within-System Variations in Success criteria.
la lb ic CDF [/yr]
% Cont.
CDF [/yr]
% Cont.
CDF [/yr]
% Cont.
Total 4.76E-06 100.00 8.81E-06 100.00 5.02E-06 100.00 SLOCA 2.46E-06 51.71 5.53E-06 62.75 3.19E-06 63.59 MLOCA 6.52E-07 13.70 1.47E-06 16.69 8.38E-07 16.71 LLOCA 3.02E-07 6.34 1.63E-06 18.54 8.13E-07 16.21 SGTR 5.09E-08 1.07 5.26E-08 0.60 4.99E-08 0.99 TWMF 1.04E-06 21.83 1.01E-07 1.14 1.01E-07 2.01 TWOMF 1.83E-07 3.83 1.77E-08 0.20 1.77E-08 0.35 LOSP 7.22E-08 1.52 6.98E-09 0.08 6.97E-09 0.14 Y
[
Id Ib/lc o
CDF [/yr]
% Cont.
CDF [/yr]
% Cont.
Total 3.66E-05 100.00 3.89E-04 100.00 SMCA 2.85E-05 77.82 3.05E-04 78.47 MIDCA 7.59E-06 20.74 8.14E-05 20.93 LLOCA 3.41E-07 0.93 2.14E-06 0.55 SGTR 5.76E-08 0.16 5.33E-08 0.01 TWMF 1.02E-07 0.28 1.01E-07 0.03 TWOMF 1.79E-08 0.05 1.77E-08 0.00 MSP 7.40E-09 0.02 3.68E-09 0.00
'1 1
TABLE 3.6-6.
Sensitivity Calculations for PRH2 Cross-System Variations in Success Criteria.
Subcase i Subcase 11 Subcase 111 Subcase iv CDF [/yr]
% Cont.
CDF [/yr]
% Cont.
CDF [/yr]
% Cont.
CDF [/yr]
4 Cont.
2a Total 2.08E-04 100.00 2.08E-04 100.00 1.00E-04 100.00 1.12E-04 100.00 2a SLOCA 2.46E-06 1.19 2.46E-06 1.19 2.46E-06 2.46 2.46E-06 2.21 2a MLOCA 6.52E-07 0.31 6.52E-07 0.31 6.52E-07 0.65 6.52E-07 0.58 2a LLOCA 3.02E-07 0.15 3.02E-07 0.15 3.02E-07 0.30 3.02E-07 0.27 2a SGTR 2.30E-07 0.11 2.30E-07 0.11 1.35E-07 0.14 1.45E-07 0.13 2a TWMF 1.66E-04 79.79 1.66E-04 79.79 7.84E-05 78.33 8.77E-05 78.62 2a TWOMF 2.91E-05 13.99 2.91E-05 13.99 1.37E-05 13.73 1.54E-05 13.79 w
2a LOSP 9.28E-06 4.46 9.28E-06 4.46 4.39E-06 4.38 4.91E-06 4.40 L
U la/2a Total 2.09E-04 100.00 2.09E-04 100.00 1.01E-04 100.00 1.13E-04 100.00 la/2a SLOCA 2.46E-06 1.18 2.46E-06 1.18 2.46E-06 2.43 2.46E-06 2.18 la/2a MLOCA 6.52E-07 0.31 6.52E-07 0.31 6.52E-07 0.64 6.52E-07 0.58 la/2a LLOCA 3.02E-07 0.14 3.02E-07 0.14 3.02E-07 0.30 3.02E-07 0.27 la/2a SGTR 2.31E-07 0.11 2.31E-07 0.11 1.36E-07 0.13 1.46E-07 0.13 la/2a TWMF 1.67E-04 79.78 1.67E-04 79.78 7.93E-05 78.33 8.87E-05 78.61 la/2a TWOMF 2.93E-05 14.01 2.93E-05 14.01 1.39E-05 13.77 1.56E-05 13.83 la/2a IDSP 9.34E-06 4.47 9.34E-06 4.47 4.45E-06 4.39 4.97E-06 4.41
~
iI l
l a
ire t
ir C
sseccu S
n i
0 2
0 3
1 4
1 0
t 0
4 9
5 1
0 0
0 s
n n
o 0
8 0
0 0
0 0
0 o
C 0
7 2
i 1
t c
a b
i 2
r
/
a c
]
4 4
5 6
7 7
8 8
V b
r 0
0 0
0 0
0 0
0 l
y m
/
E E
E E
E E
E E
e
[
8 0
2 4
6 6
1 6
ts F
0 2
5 1
4 6
9 0
y D
4 3
8 2
4 1
2 1
S C
-sso 0
5 3
6 8
6 1
2 r
0 3
1 1
1 7
3 1
t C
no 0
3 8
5 1
1 0
0 C
C 0
7 1
C 1
A
/T c
M b
C 2
]
6 6
6 7
8 7
8 9
r r
y 0
0 0
0 0
0 0
0 o
/
E E
E E
E E
E E
f
[
6 0
6 2
3 3
1 0
s F
8 3
0 0
9 0
8 1
n D
5 4
1 3
6 1
1 7
o C
i ta luc la l
A A
A F
R F
P c
a C
C C
M T
M O
S t
D O
D G
W W
O y
o I
L I
t T
S M
L S
T L
T iv i
tisne S
7 6
3 ELBAT 0
t
l TABLE 3.6-8.
Sensitivity Calculations for IRT Cross-System Variations in Success Criteria.
Subcase i Subcase 11 Subcase 111 CDF [/yr) t Cont.
CDF [/yr)
% Cont.
CDF [/yr]
t Cont.
2d Total 8.00E-06 100.00 3.58E-06 100.00 8.00E-06 100.00 2d SLOCA 5.63E-06 70.37 2.46E-06 68.55 5.63E-06 70.37 2d MwCA 1.50E-06 18.71 6.51E-07 18.15 1.50E-06 18.71 2d LWCA 6.19E-07 7.73 3.01E-07 8.41 6.19E-07 7.73 2d SGTR 1.15E-07 1.43 4.98E-08 1.39 1.14E-07 1.43 2d TWMF 1.12E-07 1.39 1.01E-07 2.81 1.12E-07 1.39 2d TWOMF 1.96E-08 0.24 1.77E-08 0.49 1.96E-08 0.24
{
2d MSP 9.22E-09 0.12 6.97E-09 0.19 9.22E-09 0.12 Id/2d Total 4.06E-05 100.00 3.66E-05 100.00 4.06E-05 100.00 id/2d SLOCA 3.13E-05 77.16 2.85E-05 77.82 3.13E-05 77.16 ld/2d MMCA 8.35E-06 20.57 7.58E-06 20.74 8.35E-06 20.57 ld/2d LLOCA 6.58E-07 1.62 3.40E-07 0.93 6.58E-07 1.62 Id/2d SGTR 1.22E-07 0.30 5.75E-08 0.16 1.22E-07 0.30 id/2d TWMF 1.13E-07 0.28 1.02E-07 0.28 1.13E-07 0.28 Id/2d TWOMF 1.98E-08 0.05 1.79E-08 0.05 1.98E-08 0.05 Id/2d LOSP 9.65E-09 0.02 7.39E-09 0.02 9.65E-09 0.02
)
TABLE 3.6-9.
Sensitivity calculations for Individual System Importance.
SYSTEM CDF (Emergency Cooling CHANGE RE1ATIVE TO Only)
BASE CASE PRRR 3.850E-4 107.12 IRUST 3.563E-4 99.14 VRC 6.115E-4 170.14 Accumulator 3.051E-4 84.89 CMT 3.384E-4 94.16 3-114 l
3.7 Miscellaneous Post-Seauence-Level Calculation Issues This section discusses various issues identified subsequent to completion of the sequence-level component failure quantification described in Sections 3.3 through 3.6.
Many of these issues originate from NRC comments received on the draft version of this report.
Included are possible conservatisms in the original analysis, further investigation into the special data issues discussed in Section 3.5.5, and examination of the impact of new recommended data values as a result of recently completed, NRC-sponsored work in this area.
Each of the issues is discussed in the following sections.
3.7.1 Water Recirculation Model There are two issues related to the Water Recirculation System (WRC).
The first is that the WRC fault tree model was incorrect for the original calculations, as was discussed in Section 3.3.4.12.
In the model, a dependency was non-conservatively misrepresented on the tree.
To investigate the impact of this error, the base-case, point estimate functional core damage frequency (see Section 3.6.1) was recalculated using a corrected fault tree.
There was no change in this value:
it remained 3.594E-6/yr.
This error did not therefore affect the base-case results, and is not thought to have affected the sensitivity calculations, although this has not been investigated.
The second issue for WRC involves a probable conservatism in the model.
As was discussed in Section 3.3.4.12, the actuation of the system was handled conservatively due to lack of information.
Because of the importance of this actuatien failure event to the overall base-case results (see Section 3.6.1.3 and Appendix PS), the model was reworked to more realistically represent the actuation of the system, with separate actuation events instead of a common-cause-type actuation event.
A trsditional common-cause failure-to-transfer event was added as well.
After requantification using this new, more realistic model, the base-case point-estimate CDF decreased from 3.594E-6/yr to 2.077E-6/yr, a 42% decrease.
An importance calculation using the new WRC model resulted in the WRC common cause event dropping to 17th (ranked according to Fussell-Vesley importance).
The former, common-cause type actuation failure was ranked third in importance for the original base-case importance calculation.
In subsequent phases of the study, the corrected WRC model will be used for any calculations requiring the fault tree.
3.7.2 Additional Information on Iow-Differential-Pressure Check Valve Operation This data-related issue was discussed at some length in Section 3.5.5.1.
Because there has been much debate on the whether the likelihood of failure of check valves opening under low dif ferential pressures is higher because of their unique operating environment, several sensitivity calculations were performed to investigate the effect of higher failure probabilities for these valves.
3-115
The affected valves are the In-containment Refueling Water Storage Tank (IRWST) injection check valves, as well as sump suction line valves, although the sump valves are not part of the base-case models.
The failure probabilities assigned to these valves, (as well as their associated common-cause failure-to-transfer events) were increased first one, then two orders of magnitude over the generic lE-4/ demand value.
The resultant point-estimate CDFs were 3.619E-6/yr and 3.889E-6/yr, respectively.
These represent an 0.7%
and an 8% increase over the original base-case CDF (3.594E-6/yr), which are not thought to be tremendously significant.
These relatively small increases are in line with the basic-event importance calculation results presented in Appendix P6 and indicating a low relative importance of these valves to the overall results.
NRC-sponsored work investigating check valve reliability under low differential pressure conditions is currently being performed at Oak Ridge l
National Laboratory.
The results of these studies are expected in the Summer of 1992.
Some preliminary results obtained recently indicate that chere have been instances of check valves sticking closed in low pressure systems.
The final results of this work will be factored into Phases 2 and 3 of this study.
3.7.3 Application of New Recommended Valve Failure Data After the original calculations for this study were performed, the results of an NRC-sponsored study into demand-related component failure rates became available.
This work, described in Reference [46), has found that a large fraction of component unavailability in demand-type situations is due to standby-related failures, rather than demand-related failures.
The component unavailability is then very sensitive to test intervals.
The study investigated in detail air-and motor-operated valves and diesel generator (DG) failure data from five U.S.
nuclear power plants.
The work involved deriving recommended values for p (demand-related failure probability) and A, (standby-related failure rate) to be used in the following expression for component unavailability:
Q - p, + ( 0. 5 ) A,T.
In this expression, T is the component test interval. The study investigated the impact on the core damage frequency for several plants analyzed in the NUREG-1150 analyses [2], and found a significant increase.
The NRC requested that we investigate the effect of applying these new data to this study. There is some question as to the testability of valves in certain AP600 systems, such as the depressurization system (DEP).
In the case of the DEP system, for example, a high LOCA frequency might result if these valves are tested very often. A lack of testability during power operation could lead to large (18 to 24 month) test intervals, and high component unavailabilities as a result.
For the AP600, the DG data from the study are not considered applicable, because the AP600 DGs are non-safety grade.
EPRI ALVR Requirements Document unavailabilities were applied, as discussed in Section 3.5.5.2.
The MOV and AOV data apply to the following AP600 systems:
Core Makeup Tanks (CMTs), DEP, Exterior Containment Cooling (ECC), Normal Residual Heat Removal (NRRR), Sump injection (SMP), and Water Recirculation (WRC).
These systems have been 3-116
Table 3.7-1.
New A0V and MOV Failure Data (Q - p, + (0.5) A,)
Test Interval AOV Unavailability MOV Unavailability p, - 0.0/ demand p, - 0.0/ demand A - 1.49E-5/hr A, - 1. 38E-5/hr 1 month 5.44E-3 5.04E-3 3 months 1.63E-2 1.51E-2 12 months 6.53E-2 6.05E-2 18 months 9.80E-2 9.07E-2 24 months 1.31E-1 1.21E-1 described in Section 3.3.4.
Table 3.7-1 lists the A0V and MOV failure probabilities calculated for differing test intervals. As can be seen, these are significantly higher than the ASEP generic [4] data values used in this study (presented in Table 3.5-1).
Some of the new values seem rather :onservative.
Several different sensitivity calculations were performed, assummg differing sets of test intervals.
The test interval lengths examined were 1, 3, 12, 18, and 24 months.
The PRHR test interval was always assumed to be three months, based on design information.
Because the DEP system was of particular interest, its test interval was varied while other components were held to 18 months, except when the DEP interval was set to 24 months, in which case the remaining components were also set to 24 months. Both 18 and 24 months were investigated, because there is a possibility that the refueling cycle could be either length for this design.
For each of the cases in Table 3.7-1, the individual valve failure events, as well as the applicable common-cause events, were changed to reflect the unavailability indicated. The results of these calculations are shown in Table 3.7-2.
As can be seen, these changes increase dramatically the ECC/DHR functional CDF over the base case.
Based on recent information from NRC and Westinghouse, the issue of DEP test interval length is currently being examined.
Our understanding is that the current expected DEP interval is three months, although this is not final.
3.7.4 Depressurization System Importance The system importance calculations discussed in Section 3.6.2.3 included only passive systems.
Because the depressurization system MOVs require a support system, this system is not considered passive. However, because of the level of interest in the depressurization system, a similar system-level importance calculation was performed to provide this information. With the system failure set to 1.0, the resultant point-estimate ECC/DHR functional CDF was 4.20E-3/yr.
This is a dramatic rise in core damage frequency over the base-case value of 3.594E-6, over three orders of magnitude. This emphasizes the importance of DEP to the AP600 design.
3-117
Table 3.7-2.
Results of Applying New Data to Base-Case Models Case System Test Intervals Resultant ECC/DHR Factor Increase CDF (/yr)
Relative to Original Base-Case CDF
.A DEP - 1 mo.; PRHR - 3 mo; 3.868E-5 10.8 all others 18 mo.
B DEP - 3 mo.; PRHR - 3 mo; 4.331E-5 12.1 all others 18 mo.
C DEP - 12 mo.; PRHR - 3 mo; 8.074E-5 22.5 all others 18 mo.
D DEP - 18 mo.; PRHR - 3 mo; 1.213E-4 33.8 all others 18 mo.
E DEP - 24 mo.; PRHR - 3 mo; 2.396E-4 66.7 all others 24 mo.
l l
l l
i l
l l
3-118
4 RESULTS AND CONCLUSIONS OF PHASE 1 i
Phase 1 of the passive system reliability program has involved development of a method for assessing passive system reliability, and an examination of the passive systems included in the Westinghouse AP600 ALVR design. This examination has emphasized the component failure element of passive system reliability, rather than the natural processes which provide the driving force for system operation.
Although cursory evaluation of the natural processes has been performed, detailed assessment of these processes will take place during Phases 2 and 3 of the program.
The objective of the study is to develop and implement a method to evaluate passive system reliability.
First, a literature survey on passive system and advanced reactor safety was performed, to identify relevant work in the area of passive system evaluation. A methodology was then developed, including methods for prioritizing system failures, and ultimately addressing uncertainties in passive system reliability.
The uncertainties to be addressed include those associated with natural processes, such as natural circulation and gravity-driven flows.
The purpose of this section is to describe briefly the more interesting results of Phase 1, and present some conclusions which provide a starting point for the next phases of the program.
Described first are the findings of the cursory system-level qualitative analysis, followed by the results of the sequence-level component failure quantification, both base-case and sensitivity calculations.
Section 2.2 of this document provides a comprehensive discussion of the methodology developed for the program.
As stated previously, the Westinghouse AP600 has served as an example ALWR for demonstration of the methodology.
The AP600 design was evolving during the course of Phase 1 of this study.
An effort was made to incorporate design changes as the information became available. However, there have been numerous design changes since completion of the Phase 1 analyses; the reader is therefore cautioned regarding the applicability of the design information and results reported herein to the most current AP600 design version.
4.1 Results of the System-Level Qualitative Analysis The system-level qualitative analysis determined the systems with the greatest potential to be influenced by natural process uncertainties (i.e.,
those with very low failure rates due to component failures, combined with natural processes thought to be uncertain).
This screening study applied lower-bound values for component failure rates to give an estimate of the lowest expected contribution of component failures to overall system failure. Then the natural processes and uncertainties for each passive system were identified, and judgement applied to determine the expected importance of the process uncertainties to system failure.
The systems appearing to be most important according to the screening analysis are those associated with external containment cooling, and natural circulation in the reactor coolant system and interior containment atmosphere. These results 4-1
are based in part on the small component failure lower bound estimate for the external containment cooling system, combined with a large number of associated natural processes and uncertainties. The potentially complex natural processes and uncertainties involved in natural circulation cooling in the reactor coolant system (the passive residual heat removal system) and recirculation process in the containment interior led to their selection as important systems for further
- analysis, It should be noted that the system-level screening was based on an older version i
of the AP600 design (January 1989), for which external containment cooling was important. For the newer version of the design (July 1991), which was analyzed in the sequence-level quantification discussed in the next section, it is our understanding that the external containment spray system is no longer considered necessary to avert core damage.
(Note: because the system-level analysis was primarily qualitative in nature, it was thought unnecessary to redo the analysis when newer design information became available.)
4.2 Results of Sequence-Level Component Failure Analysis In the sequence-level component failure analysis, accident sequences were quantified, considering only the emergency cooling and decay heat removal functions (i.e.,
reactor trip was assumed to always occur), and internal initiating events.
This portion of Phase 1 focused on the component failure aspects of passive system failure, i.e., no natural process uncertainties were addressed. Fault and event tree models of the AP600 were developed for a newer (July 1991) AP600 design version.
A data analysis was performed, applying realistic values to the failure events, rather than lower-bound values as in the screening analysis.
Common-cause and somewhat simplified human reliability analyses were performed.
Component data from current generic sources were primarily applied, because of the use of current-technology components in the AP600 design. The analysis was carried out to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> af ter reactor trip, and no operator recovery analysis was performed. Additionally, control and actuation systems were not handled in e detailed manner, so that the results of this analysis do not reflect the differences between the AP600's design of these systems, with their greater dependence on computer software, and those of a current plant.
A few data-related issues arose, such as the question of check valve reliability at low differential pressures, and AP600 non-safety grade equipment which is classified safety grade in current plants.
For the check valve issue, current generic values and distributions were applied based on judgement regarding the processes affecting reliability of the valves, and importance calculations showing a lesser significance of the valve failure events in the context of the sequence analysis. For the safety /non-safety grade issue, several distinctions were made versus the generic data, principally with regard to diesel generator events.
The first result of the sequence-level quantification effort was a base-case value for the core damage frequency (CDF), for the emergency cooling and decay heat removal functions only (i.e. conditional on successful reactivity control).
This result provides a basis for comparison to the sensitivity calculations also performed as part of the quantification effort. The calculations will be built 4-2 i
l
upon in later phases of the project, when success criteria uncertainties will be quantified by examining the natural process uncertainties in detail.
The base case quantification resulted in an estimated mean core damage frequency of 3.5E-6/yr and 5th and 95th percentile values of 5.9E-7 and 1.lE-5, respectively.
This compares with a previously reported Westinghouse value of 1.25E-6/yr from a preliminary analysis (1989), which was based on an earlier version of the AP600 design.
The dominant initiator was predicted to be a small IDCA (694) with the most dominant failures involving operator failure to properly align the Normal Residual Heat Removal system.
Af ter the initial sequence-level calculations were completed, several issues were identified for further investigation. The first involved a probable conservatism in the actuation model for one of the AP600 systems, the Water Recirculation System.
Because of the importance of the system's actuation event to the results, the model was reworked to treat the actuation more realistically. This resulted in a 42% decrease in the. point-estimate CDF. Another issue examined was the sensitivity of the results to newly available, recommended valve failure rate data, and to the currently uncertain test interval for the depressurization system (DEP).
The new data were applied, and the test interval for the DEP system valves was varied over the range from one to twenty-four months, resulting in a point-estimate CDF a factor of 10 to 67 higher than the original CDF.
The core damage frequency stated above does not include natural process uncertainties.
Sensitivity studies were performed to determine those systems that would have the greatest impact on the core damage frequency if the natural process failed to provide adequate driving force for the system, and the system success criteria were therefore incorrect.
Details of the results of these sensitivity calculations are discussed in Section 3.6.
Three main groups of success criteria sensitivities were examined, the first a set of within-system sensitivities.
In this case, more restrictive train-level system success criteria were assumed, such as two-of-two instead of one-of-two core makeup tanks (CMTs).
Next, cross-system requirements were examined, whereby combinations of systems are postulated to be necessary, instead of a sf.ngle system resulting in aversion of core damage as specified by base-case success criteria. These first two sensitivities examined the effect on emergency cooling / decay heat removal functional CDF as a result of possibly degraded passive system performance, due to the influence of natural process parameter uncertainties. Additional trains or other systems are postulated to be required in order to avert core damage. The third set of sensitivities investigated the case where the passive system is totally ineffective due to natural process uncertainties, regardless of component functioning.
Figures 4.2 1 through 4.2-3 provide the results for each case of the sensitivity studies, in terms of relative increase over the base-case results.
As can be seen from Figure 4.2 1, the in-containment refueling water storage tank (IRWST) in the injection mode causes the greatest relative increase versus any other single system.
CMTs and accumulators (ACCs) are important only when combined (more restrictive system success criteria for both systems, which might be applicable if the same uncertainties affect the operation of these two high-pressure injection systems).
Figure 4.2-2 provides the results for Case 2 and 4-3
130 gure 4.2-1. Case 1 Success Criteria SensitMty Results Fi f
120-
@ CDF Fletative to Base 3
100-g 90-80-
=
70-M.
50-40-( j
?
30-os 20-Q 10-I v
O PRHR CMTs ACCs IRWST CMT/ACC combined Cases 1 and 2.
Here, passive residual heat removal (PRHR) is shown to be important. The CMT/ACC combined case result is driven by incorporating the Case 1 CMT/ACC result.
Finally, Figure 4.2-3 presents the Case 3 results.
From this figure, water recirculation (WRC) appears to be most important. However, it is felt that this result is driven by conservative success criteria assumptions for the base case, which do not allow credit for sump injection after WRC failure.
Rather, the importance of VRC can be considered to represent the importance of internal containment recirculation process for condensing steam within containment and returning it to the IRWST or sump for injection.
PRHR, IRWST, and CMT are the more important of the remaining systems, although there is not a great distinction among any of the systems. They all involve an increase of about two orders of magnitude over the base-case CDF.
Based on these sensitivity studies, the systems determined to be most important are PRHR, CMT inj ection, and IRWST injection coupled with the internal containment recirculation process. These systems involve natural circulation in the primary (PRHR) and within containment (long-term IRWST inj ection), and gravity injection to the primary (CMT and IRWST injection).
If one also considers the insights from the system-level qualitative analysis, these results appear reasonable. Sump injection might also be considered, since 44
Figure 4.2-2. Case 2 Success Criteria Sensitivity Results (CDF Relative to Base Case) 140-130-ee 120-35 Case 2 ony 33o.
100 Cases 1 and 2 90-80-70-at eq g
g 50-40-30-
.n 20-4
'O~
g g
4
-~ E d
s O
PRHR CMT/ACC IRWST it may have been conservatively excluded from the base-case success criteria.
This should be of lower priority than IRWST injection, since sump injection can be thought of as a " backup" to IRWST injection. One additional consideration is enternal containment cooling, which was ranked as most important in the system-1evel analysis but did not prove important in the sequence-level sensitivities due to new success assumptions. Although the system failure probability due to component failures is very low for external containment cooling, many potential natural process uncertainties were identified. Because of the interface with the internal containment recirculation process, it may be prudent to further analyze external containment cooling at the level of detail _ necessary to address interactions between these two processes.
4.3 Recommendations for Phases 2 and 3 The recommended systems for in-depth natural process assessment in Phases 2 and 3 are therefore PRHR, the CMTs, and IRWST injection with internal containment recirculation.
The method for explicitly addressing the natural process uncertainties in these key systems will be demonstrated in Phase 2.
Thermal-hydraulic code calculations will be incorporated into a formal expert judgment process to address uncertainties in selected natural processes and success criteria. Upon successful demonstration of the method, Phase 3 will involve full implementation for the AP600. The AP600 models will be updated at that time to include the latest design information.
4-5
. _.
- _ =
l Figure 4.2-3. Case 3 Success Criteria Sensitivity Results 190-180-Legend 170-
$ CDF Relative to Base j
=
160-j 150-0 j
h 130-fj 120-
[
110-
);
a
~
100-g e
w a
90-
.R 1
1 1-1 s 70 WRC PRHR 1RWST CMT ACC Phase 2 is limited in scope to demonstration of the method for primary / reactor coolant system processes only; containment processes will not be addressed until Phase 3.
Therefore, PRHR, the CMTs, and IRWST injection should be considered in Phase 2.
The supply of fluid to the IRWST should be fixed in some way, until the i
l internal containment recirculation process can be modeled in Phase 3.
At this time, it may also be prudent to bring in modeling of sump injection and external containment cooling, for the reasons discussed above. Of course, selection of systems and processes for further assessment must also be influenced by thermal-hydraulic modelin5 constraints, and by initial thermal-hydraulic sensitivity calculations indicating which process uncertainties appear important to code results.
' w__
4-6
f f
5 REFERENCES
[1]
C.
W.
Forsberg, et al.,
" Proposed and Existing Passive and Inherent Safety-F. elated Structures, Systems, and Components (Building Blocks) for Advanced Light-Water Reactors," ORNL-6554, Oak Ridge National Laboratory, October, 1989.
[2] " Severe Accident Risks: An Assessment for Five U.S. Nuclear Power Plants,"
NUREG-ll50, Vols. 1 and 2, Final Summary Report, U.S. Nuclear Regulatory Commission, December 1990.
[3]
R. C. Bertacio and J. A. Julius, " Analysis of Core Damage Frequency: Surry, Unit 1 Internal Events," NUREC/CR-4550, SAND 86-2084, Vol. 3, Rev.1, Sandia National Laboratories, Albuquerque, NM, April 1990
[4]
D. M. Ericson, ed.,
" Analysis of Core Damage Frequency:
Internal Events Methodology," NUREG/CR-4550, SAND 86-2084, Vol. 1, Rev. 1, Sandia National Laboratories, Albuquerque, NM, January 1990.
[5] " Outlook On Advanced Reactors (A Special Report to the Readers of Eycleonics Wggh)," Nucleonics Week, March 30, 1989.
[6]
M. W. Golay and N. E. Todreas, " Advanced Light Water Reactors," Scientific American, April 1990.
[7]
E.
- 3. Beckj ord, " Safety Aspects of Evolutionary and Advanced Reactors,"
Proceedines of the Conference on Technolorv-Based Confidence Buildine:
Enercy and Environment, Santa Fe, NM, July 9-14, 1989.
[8]
W.
Braun and W. Burkle, "Can Inherent Safety Replace Active and Passive Safety Systems?" Kerntechnik, November 1987.
[9]
L.
Cave and W.
E.
Kastenberg, " Structural Reliability in Relation to Inherent Reactor Safety," Transactions of the 9th International Conference on Structural Meshanics in Reactor Technolorv, Lausanne, Switzerland, August 17-21, 1987.
[10] Charles J. Mueller, et al., " Risk Characterization of Safety Re. earch Areas for Integral Fast Reactor Program Planning," Nuclear Technology, Vol. 91, August 1990.
[11]
L.
Cave and W.
E.
Kastenberg, "The Application of Probabilistic Risk Assessment to Inherently Safe Reactors," Proceedines of the International Topical Conference on Probabilistic Safety Assessment and Risk Manacement.
PSA '87, Zurich, Switzerland, August 30-September 4, 1987.
[12]
M. H. Fontana, et al., "The Role of PRA in Resolving Severe Accident Issues for Advanced Light, Water Reactors - Treatment of External Events,"
Proceedines of the International Topical Meeting on Probability.
Reliability. and St fety Assessment. PSA '89, Pittsburgh, PA, April 2-7, 1989.
5-1
[13)
W.
- Kroger, J.
Mertens, and J.
Wolters, " Basic Risk Analyses for High-Temperature Reactors," Nuclear Encineerint and Desien, 121 (1990) 299-309.
[14]
V.
Cavicchia, A.
Bassanelli, and E.
Traini, "New Aspects of the PSA Methodology for the Passive Safety Plants," CSNI Conference in Santa Fe, New Mexico, Sept. 4-7, 1990.
[15) " Technical Note: CREDO: The Centralized Reliability Data Organization--A Data Base and Data Analysis Center for Advanced Reactors," Nuclear Safety, Vol. 26, No. 3, May-June 1985.
[16)
R. M. Kemper and C. M. Vertes, " Loss-of-Coolant Accident Performance of the Westinghouse 600 MW(electric) Advanced Pressurized Water Reactor," Nuclear Technolocv, Vol. 91, July 1990.
[17)
C.
R.
- Andre, T.
L.
Schultz, and J.
M.
Iacovino, " Application of Probabilistic Risk Assessment in the Design of Westinghouse Advanced Reactors," Proceedines of the International Tonical Meeting on Probability.
Reliability. and Safety Assessment. PSA '89, Pittsburgh, PA, April 2-7, 1989.
[18)
P.
D.
Rutherford, J.
C.
- Mills, R.
T.
Lancet, and P.
Nourj ah, "A Risk Assessment of the SAFR Plant," Proceedincs of the International Tooical Conference on Probabilistic Safety Assessment and Risk Assessment. PSA '87, Zurich, Switzerland, August 30-September 4, 1987.
[19]
S. H. Lee and D. Okrent, "On the Development of Quantitative Goals for Inherently Safe DiFBR Design and Licensing," Transactions of the 9th i
International Conference on Structural Mechanics in Reactor Technolory, Lausanne, Switzerland, August 1987.
[20]
S. B. Inamati, L. L. Parme, and F. A. Silady, "PRA of the Modular High-Temperature Cas Cooled Reactor," Presented at International Topical Conference on Probabilistic Safety Assessment and Risk Management, PSA '87, Zurich, Switzerland, August 30-September 4, 1987.
[21)
C.
J.
Mueller and D.
C.
Wade, "Probabilistic Evaluation of Successful Inherent Shutdown in Unprotected Accidents in Innovative Liquid-Metal Reactors," Nuclear Technolory, Vol. 91, August 1990.
[22)
M. H. Fontana, et al., "The Role of PRA in Resolving Severe Accident Issues for Advanced Light Water Reactors Treatment of External Events,"
Proceedines of the International Topical Meeting on Probability.
Reliability. and Safety Assessment. PSA '89, Pittsburgh, PA, April 2-7, 1989.
[23) MHB Technical Associates, " Advanced Reactor Study," prepared for Union of Concerned Scientists, July 1990.
[24]
A. Villemeur, M. Bouissou, and A. Dubruil-Chambardel, " Accident Sequences:
Methods to Compute Probabilities," Proceedines of the International Tonical 5-2
k p
\\;
[-
Conference on Probabilistic Safety Assessment and Risk Manarement. PSA'87, Zurich, Switzerland, August 30 - September 4, 1987.
[25). T.
Matsuoka and M.
Kobayashi, "GO-FIDW:
A New Reliability Analysis Methodology," Nuclear Science and Enrineerine:
98, 64-78 (1988).
[26)
D. C. Williams, et al., "IRFBR Accident Delineation Study Phase I Final Report," NUREG/CR-1507, SAND 80-1267, Sandia National Laboratories, November 1980,Section IV.8.
[27)
A.
R.
Gilchrist, S.
B.
- Tulloch, S.
E.
Lindberg, and G.
P.
- Wilson,
" Preliminary Nuclear Assembly Test Residual Heat Removal Fault Tree Analysis," General Electric Astrospace Division, San Jose, CA, April 1989.
[28]
B.
E.
Boyack, et al.,
" Quantifying Reactor Safety Margins Part 1:
An Overview of the Code Scaling, Applicability, and Uncertainty Evaluation Methodology, Hrelear Enrineerine and Desien, 119 (1990) 1-15.
[29)
Z-J. Zeng, ' Reliability Analysis of Structure using a Coupled Monte Carlo-Boundary Element Method," Reliability Engineerine and System Safety, 27 (1990) 269-274.
[30]
G. B. Varnado, W. H. Horton, and P. R. Lobner, " Modular Fault Tree Analysis Procedures Guide," (in four volumes) NUREG/CR-3268, SAND 83-0963, Sandia National Laboratories. Albuquerque, NM, August 1982.
[31]
H.
J.
Bruschi and R.
P.
Vijuk, " Safety:
Evolving Technologies for Tomorrow's Power Reactors," Nuclear Techno1 cry, Vol. 91, July 1990.
[32)
K. D. Russell, et al., " Integrated Reliability and Risk Analysis System (IRRAS) Version 2.5:
Volume 1 Reference Manual," NUREG/CR-5300, EGG-2613, EG&G Idaho, Inc., Idaho Falls, ID, February 1991.
[33]
S. N. Tower, T. L. Shultz, and R. P. Vijuk, " Passive and Simplified System Features for the Advanced Westinghouse 600 MWe PWR," Nuclear Engineering and Desien, 109 (1988), 147-154.
[34)
S. A. Eide, S. V. Chmielewski, and T. D. Swantz, " Generic Component Failure Data Base for Light Water and Liquid Sodium Reactor PRAs (INFORMAL REPORT)," EGG-SSRE-8875, Idaho National Engineering Laboratory, Idaho Falls, ID, February 1990.
[35)
A. Mosleh, et al., " Procedures for Treating Common Cause Failures in Safety and Reliability Studies, Procedural Framework and Examples," NUREG/CR-4780, EPRI NP-5613, Vol.1, Pickard, Lowe, and Carrick, Inc., Newport Beach, CA, January 1988.
[36)
D. D. Carlson, " Interim Reliability Evaluation Program Procedures Guide,"
NUREG/CR-2728, SAND 82-1100, Sandia National Laboratories, Albuquerque, NM, January 1983.
5-3
[37] "IEEE Guide to Collection and Presentation of Electrical, Electronic, and Sensing Component Reliability Data for Nuclear Power Generating Stations,"
IEEE-STD-500, The Institute of Electrical and Electronics Engineers, Inc.,
New York, NY, 1977.
[38)
R.
C.
Bertucio and S.
R.
Brown, " Analysis of Core Damage Frequency:
Sequoyah, Unit 1 Internal Events," NUREG/CR-4550, SAND 86-2084, Vol. 5, Rev.
1, Sandia National Laboratories, Albuquerque, NM, April 1990.
[39)
J. A. Steverson and C. L. Atwood, " Common Cause Fault Rates for Valves,"
NUREG/CR-2770, EGG-EA-5485, EG6G Idaho, Inc., Idaho Falls, ID, February 1983.
[40)
G.
R. Andre, et al.,
"Probabilistic Risk Assessment of the Westinghouse AP600 Reactor Design," Proceedines of the International Topical Meetine on the Safety of Next Generation Power Reactors, Seattle, WA, May 1-5, 1988.
[41]
W. L. Greenstreet, et al., " Aging and Service Wear of Check Valves Uced in Engineered Safety-Feature Systems of Nuclear Power Plants:
Volume 1.
Operating Experience and Failure Identification," NUREG/CR-4302, ORNL-6193/V1, Oak Ridge National Laboratory, Oak Ridge, TN, December 1985.
[42)
H. D. Haines, " Aging and Service Wear of Check Valves Used in Engineered Safety-Feature Systems of Nuclear Power Plants:
Volume 2.
Aging Assessments and Monitoring Method Evaluations," NUREG/CR-4302, ORNL-6193, Vol. 2, Oak Ridge National Laboratory, Oak Ridge, TN, April 1991.
[43]
L.
S. Marks, et al., Marks' Standard Handbook for Mechanical Eneineers, McGraw-Hill, New York, NY, 8th Edition, 1978.
[44]
R. J. Borkowski, et al., "The In-Plant Reliability Data Base for Nuclear Plant Components:
Interin Report--The Valve Component," NUREG/CR-3154, ORNL/TM-8647, Oak Ridge National Laboratory, Oak Ridge, TN, December 1983.
[45)
T. A. Wheeler, et al., " Analysis of the LaSalle Unit 2 Nuclear Power Plant:
Risk Methods Integration and Evaluation Program," NUREG/CR-4832, SAND 87-7157, Vol. 5, Sandia National Laboratories, Albuquerque, NM, October 1990.
[46]
E.
V.
Lofgren and M. Thaggard, " Analysis of Standby and Demand Stress Failure Modes: Methodology and Applications to EDCs and MOVs," NUREC/CR-5823 Science Applications International Corporation, McLean, VA, October 1992.
5-4
APPENDIX A.
LISTING OF PERTINENT DOCUMENTS FROM OCTOBER 1990 LITERATURE SURVEY t
v
APPENDIX A.
LISTING OF PERTINENT DOCUMENTS FROM OCTOBER 1990 LITERATURE SURVEY.
A. Passive System Reliability A1)
L.
Cave and W.
E.
Kastenberg, " Structural Reliability in Relation to Inherent Reactor Safety," Transactions of the 9th International Conference on Structural Mechanics in Reactor Technoloev, Lausanne, Switzerland, August 17-21, 1987.
A2)
L.
Cave and W.
E.
Kastenberg, "The Application of Probabilistic Risk Assessment to Inherently Safe Reactors," Proceedines of the International
(
Tonical Conference on Probabilistic Safety Assessment and Risk Management.
PSA '87, Zurich, Switzerland, August 30-September 4, 1987.
A3)
W.
Braun and W.
Burkle, "Can Inherent Safety Replace Active and Passive Safety Systems?" Kerntechnik, November 1987.
l A4) " Technical Note: CREDO: The Centralized Reliability Data Organization--A i
Data Base and Data Analysis Center for Advanced Reactors," Nuclear Safety, Vol. 26, No. 3, May-June 1985.
AS)
M. Sugawara, N. Handa, and H. Sasakawa, " Comprehensive Treatment of Various Problems Associated with Shutdown Heat Removal Reliability," Proceedings of the LMFBR Safety Topical Meeting, Lyon, France, July 19-23, 1982.
A6)
W.
- Kroger, J.
Mertens, and J.
Wolters, " Basic Risk Analyses for High-Temperature Reactors," Nuclear Enrineerine and Design, 121 (1990) 299-309.
A7) Charles J. Mueller, et al., " Risk Characterization of Safety Research Areas for Integral Fast Reactor Program Planning," Nuclear Technolony, Vol. 91, August 1990.
A8)
K. Sakata, et al., " Evaluation of Very Iow Frequencies of ATWS and Plohs in a Loop-Type FBR Plant by Making Use of Inherently Safe Features,"
Proceedings of the International Topical Conference on Probabilistic Safety Assessment and Risk Management, PSA '87, Zurich, Switzerland, August 30-September 4, 1987.
A9)
J. Dusek and K.
Dach, " Application of Reliability Analysis of VVER NPP Safety Systems to PSA," Proceedings of the International Topical Conference on Probabilistic Safety Assessment and Risk Management, PSA '87, Zurich, Switzerland, August 30-September 4, 1987.
B. Passive System Testing B1)
P.
R.
Betten, H. P. Planchon, L.
K.
- Chang, E.
E.
Feldman, and D. Mohr,
" Putting Inherent Safety to the Test at EBR-II," Nuclear Engineerine International, June 1987.
i f
(
A-1
B2)
H. P. Planchon et al., "Results and Implications of the Experimental Breeder Reactor II Inherent Safety Demonstration Tests," Nuclear Science and Enrineerine:
100, 549-557 (1988).
B3)
Q.
L.
Baird, et al.,
" Operational Safety Experience and Passive Safety Testing at the Fast Flux Test Facility," Nuclear Safety, Vol. 29, No. 3, July-September 1988.
B4)
D. M.
Lucoff, " Passive Safety Testing at the Fast Flux Test Facility,"
Nuclear Technolorv, Vol. 88, Oct. 1989.
C. Advanced Reactor Thermal Hydraulic Analyses C1)
Y. Kataoka, H.
Suzuki, M. Murase, I.
Sumida, T.
Horiuchi, and M. Miki,
" Conceptual Design and Thermal-Hydraulic Characteristics of Natural Circulation Boiling Water Reactors," Nuclear Technolorv, Vol. 82, (1988).
C2)
S. M. Modro, J. D. Miller, S. M. Sloane, and C. S. Rhee, " Reactor System Analyses of Advanced, Passive LWR Designs," (
SUMMARY
PAPER), NUREC/CP-Oll3, Transactions of the Eighteenth Water Reactor Safety Information Meeting, Rockville, MD, October 22-24, 1990.
D. AP600 Safety Analyses D1)
R. M. Kemper and C. M. Vertes, " Loss-of-Coolant Accident Performance of the Westinghouse 600-MW(electric) Advanced Pressurized Vater Reactor," Nuclear Technolorv, Vol. 91, July 1990.
D2)
H.
J.
Bruschi and R.
P.
Vij uk,
" Safety:
Evolving Technologies for Tomorrow's Power Reactors," Nuclear Technolocv, Vol. 91, July 1990.
D3)
C.
R.
- Andre, T.
L.
Schultz, and J.
M.
Iar.ovino,
" Application of Probabilistic Risk Assessment in the Design of Westinghouse Advanced Reactors," Proceedings of the International Topical Meeting on Probability, Reliability, and Safety Assessment, PSA '89, Pittsburgh, PA, April 2-7, 1989.
E. Other Advanced Reactor Safety Analyses E1)
P.
D.
Rutherford, J.
C.
- Mills, R.
T.
Lancet, and P.
Nourj ah,
"A Risk Assessment of the SAFR Plant," Proceedings of the International Topical Conference on Probabilistic Safety Assessment and Risk Assessment, PSA '87, Zurich, Switzerland, August 30-September 4, 1987.
E2)
S. H. Levinson and R. S. Enzinna, "Probabilistic Analysis for Conceptual Design of the Babcock & Wilcox Advanced Light Water Reactor," Nuclear Technolory, Vol. 91, July 1990.
E3)
S. B.
Inamati, L. L. Parme, and F. A. Silady, "PRA of the Modular High-Temperature Cas-Cooled Reactor," Presented at International Topical Conference on Probabilistic Safety Assessment and Risk Management, PSA ' 87, Zurich, Switzerland, August 30-September 4, 1987.
A-2
E4)
D. B. Trauger, " Safety and Licensing for Small and Medium Power Reactors,"
Nuclear Encineerinc and Desien, 109 (1988) 267-271.
ES)
C.
J.
Mueller and D.
C.
Wade, "Probabilistic Evaluation of Successful Inherent Shutdown in Unprotected Accidents in Innovative Liquid-Metal Reactors," Nuclear Technolorv, Vol. 91, August 1990.
E6)
V.
Cavicchia, A.
Bassanelli, and E.
Traini, "New Aspects of the PSA Methodology for the Passive Safety Plants," CSNI Conference in Santa Fe, New Mexico, Sept. 4-7, 1990.
j E7)
R. T. Lancet, J. C. Mills, and C. B. Martin, "SAFR:
Increased Safety by Capitalizing on the Inherent Characteristics of Liquid-Metal Reactors," 15th Water Reactor Safety Information Meeting, Caithersburg, MD, October 26-29, 1987.
E8)
K. Kroger, J. Martens, J. Wolters, " Risk Assessment of Small-Sized HTR with Pebble-Bed Core," Proceedings of the International Topical Conference on Probabilistic Safety Assessment and Risk Assessment, PSA
'87,
- Zurich, Switzerland, August 30-September 4, 1987.
E9)
P. J. Allen, "The Use of PSA in the Design, Safety Assessment and Licensing j
of the Advanced CANDU Design," Proceedings of the International Topical Meeting on Probability, Reliability, and Safety Assessment, PSA
'89, Pittsburgh, PA, April 2-7, 1989.
j E10)
M. H. Fontana, et al., "The Role of PRA in Resolving Severe Accident Issues for Advanced Light Water Reactors Treatment of External Events,"
Proceedings of the International Topical Meeting on Probability, Reliability, and Safety Assessment, PSA '89, Pittsburgh, PA, April 2-7, 1989.
Ell)
S.
H.
Lee and D.
Okrent, "On the Development of Quantitative Coals for Inherently Safe IJiFBR Design and Licensing," Transactions of the 9th International Conference on Structural Mechanics in Reactor Technology, Lausanne, Switzerland, August 1987.
E12)
W.
R.
Sugnet and S.
T.
Gray, "Use of PRA in the ALWR Requirements Document," Proceedings of the International Topical Meeting on Probability, Reliability, and Safety Assessment, PSA '89, Pittsburgh, PA, April 2-7, 1989.
E13)
W.
- Rehm, W.
Jahn, and K.
Verfondern, "Present Results and Further Developments on Safety Analysis of Small and Medium-Sized HTRs for Core Heat-Up Accidents," Nuclear Encineerinc and Desien, 109 (1988) 281-287.
E14)
A.
Jacobi Jr.,
V.
Herrnberger, J.
F.
Jaeger, and K.
Lieber, " Safety Assessment and Radiation Protection Aspects of the Swiss Heating Reactor (SHR)," Nuclear Encineerine and Desien, 109 (1988) 321-327.
E15)
H. Nagasaka, et al., " Study of a Natural-Circulation Boiling Water Reactor With Passive Safety," Nuclear Technolocv, Vol. 92, November 1990.
A-3
i F. General Advanced Reactor and Passive System Safety F1)
M. W. Golay, Vugrafs, " Assuring the Safety of Advanced Light Water Reactors Employing Semi-Passive Safety Features," Presented at Sandia National Laboratories, Aug. 20, 1990.
F2)
Y. Kataoka, H. Suzuki, S. llatamiya, M. Murase, I. Sumida, T. Horiuchi, and M.
Miki, " Conceptual Design and Safety Characteristics of a Natural-Circulation Boiling Water Reactor," Nuclear Technolorv, Vol. 91, July 1990.
F3)
R. J. McCandless and J.
R. Redding, " Simplicity:
The Key to Improved Safety, Performance and Economics," Nuclear Eneineerine International, Vol.
34, November 1989.
F4)
D.
D.
- Carlson, "A Preliminary Review of the Potential for Inherent and Passive Safety in LWRs," Internal Sandia National Laboratories Memorandum to A. C. Marshall, October 5, 1987.
F5)
W.
Wacholz, rThe Safety Characteristics of the HTR 500 Reactor Plant,"
Nuclear Encineerine and Design, 198 (1988) 307-312.
F6)
J. McQuaid, " Inherent Safety in Non-Nuclear Applications," Proceedings of the Conference on Technology-Based Confidence Building:
Energy and Environment, Santa Fe, NM, July 9-14, 1989.
F7)
S. J. Brereton, D. F. Holland, and S. J. Piet, " Development of the Passive Safety Concept and its Application to ITER (Internal Thermonuclear Experimental Reactor," EFF-FSP-8742, EG&G Idaho, November 1989.
F8)
N. N..Ponomarev-Stepnoj, " Nuclear Safety," Proceedings of an International Conference on Nuclear Power Performance and Safety, Vienna, Austria, September 28 - October 2, 1987.
F9)
M. J. Elliot, "Use of Quantified Risk Assessment Techniques in Relation to Major Hazard Installations," Crvorenics, December 1988.
F10)
A. Boshci, et al., "A First Approach to the Safety Analysis of A Tokamak Test Reactor By a System Study Methodology," Fusion Technology, March 1989.
C. General Reliability Methods G1)
B.
E.
Boyack, et al.,
" Quantifying Reactor Safety Margins Part 1:
An Overview of the Code Scaling, Applicability, and Uncertainty Evaluation Methodology, Nuclear Engineerinc and Desien, 119 (1990) 1-15.
G2)
A. I. Klemin and R. T. Islamov, " Determination of the Reliability Indicators for Equipment in a Nuclear Power Plant Operating in a Complex Regime,"
Soviet Atomic Enugy, (Russian Original, Vol. 66, No. 5, May 1989), November 1989.
G3)
T. Matsuoka and M. Kobayashi, "CO-FIAW: A Reliability Analysis Methodology
- Its Basic Concept and Applicability," Proceedings of the Internal Topical A-4
Conference on Probabilistic Safety Assessment and Risk Management, PSA'87, Zurich, Switzerland, August 30 - September 4, 1987.
G4)
T.
Matsuoka and M.
Kobayashi, "GO-FIDW:
A New Reliability Analysis Methodology," Nuclear Science and Engineerine:
98, 64-78 (1988).
G5)
A. Villemeur, M. Bouissou, and A. Dubruil-Chambardel, " Accident Sequences:
Methods to Compute Probabilities," Proceedings of the International Topical Conference on Probabilistic Safety Assessment and Risk Management, PSA'87, Zurich, Switzerland, August 30 - September 4, 1987.
l l
G6) J. M. Lanore, J. L. Caron, J. M. Lanore, and J. L'Henoret,
" Interaction l
Between Thermal / Hydraulics, Human Factors and System Analysis for Assessing Feed and Bleed Risk Benefits," Proceedings of the International Conference on Probabilistic Safety Assessment and Risk Management, PSA'87, Zurich, Switzerland, August 30 - September 4, 1987.
G7)
K.
- Nakada, K.
- Miyagi, N.
Handa, and S.
- Hattori, "A
Method of State Transition Analysis Under System Interactions: An Analysis of a Shutdown Heat Removal System," Nuclear Technolory, Vol. 82, Aug. 1988.
G8)
G. S. Holman and C. K. Chou, "Using Component Test Data to Develop Failure Probabilities and Improve Seismic Performance," Transactions of the 9th International Conference on Structural Mechanics in Reactor Technology, Lausanne, Switzerland, August 1987.
G9)
Z-J. Zeng, " Reliability Analysis of Structure using a Coupled Monte Carlo-Boundary Element Method," Reliability Enrineerine and System Safety, 27 (1990) 269-274.
G10)
B. E. Boyack, et al., "An Integrated Structure and Scaling Methodology for Resolving Technical Issues Relevant to Severe Accidents," (
SUMMARY
PAPER),
NUREC/CP-0113, Transactions of the Eighteenth Water Reactor Safety Information Meeting, Rockville, MD, October 22-24, 1990.
Gil)
M. Hassan and T. Aldemir, "A Data Base Oriented Dynamic Methodology for the Failure Analysis of Closed Loop Control Systems in Process Plants,"
Reliability Enrineerine and System Safety, 27 (1990) 269-274.
G12)
D.
C. Williams, et al., "1RFBR Accident Delineation Study Phase I Final Report," NUREG/CR-1507, SAND 80-1267, Sandia National Laboratories, November 1980,Section IV.8.
Miscellaneous (Not Assigned to Above Categories):
- 1. July and August 1990 issues of Nuclear Technolony (Advanced Reactor Safety) 2.
ORNL-6554
" Proposed and Existing Passive and Inherent Safety-Related Structures, Systems, and Components (Building Blocks) for Advanced Light Water Reactors," October, 1989.
A-5
~.
l 2
- l 4-
. 3. BNL-NUREG-52197 NUREG/CR-5364, " Summary of Advanced IJE Evaluations - PRISM and,SAFR,"_ October 1989.
- J
- 4. c" Proceedings of the International Topical Meeting on the Safety of Next Ceneration Power Reactors," Seattle, WA, May 1-5, 1988.
F 1
I i
l i
L i
t i
t p
A-6 i
3 r,
e,
P iT DISTRIBUTION Arthur J. Busiik'(6)
USNRC-RES/PRAB '
US Nuclear Regulatory Commission MS: T-9 F31 Washington, DC 20555 Mark A. Cunningham, Chief
]
USNRC-RES/PRAB US Nuclear Regulatory Commission MS: T-9 F31 Washington, DC 20555 John Darby SEA, Inc.
6100 Uptown Blvd. NE Albuquerque, NM 87110
-t i
A. Sharif Heger (5)
UNM Chemical and Nuclear Engineering Department Farris Engineering-Room 209 Albuquerque, NM 87131 James W. Johnson USNRC-RES/PRAB US Nuclear Regulatory Commission MS: T-9 F31 Washington, DC 20555 Harold VanderMolen USNRC-RES/PRAB US Nuclear Regulatory Commission MS: T-9 F31 Washington, DC 20555 Westinghouse Electric Corp NTD Central File Nuclear Safety P. O. Box 355,4081-A Pittsburgh, PA 15230-0355 DIST-1
.'~
Westinghouse Electric Corp Atta: Brian A. McIntyre P. O. Box 355 Pittsburgh, PA 15230-0355 MS0736 N. R. Ortiz, 6400 MS0747 A. L. Camp, 6412 (4)
' MS0747 V. J. Dandini, 6412 MS0747 S. L. Daniel, 6412 MS0747 S. E. Dingman, 6412 MS0747 J. A. Forester, 6412 MS0747 D. B. Mitchell, 6412 MS0747 H. K. Schriner, 6412 MS0747 B. D. Staple, 6412 MS0747 D. W. Whitehead, 6412 MS0747 G. D. Wyss, 6412 MS0425 A. C. Payne, Jr., 4115 MS0748 F. T. Harper, 6413 MS0737 M. P. Bohn, 6449 MS1116 T. M. Hake, 7442 (5)
MS9018 Central Technical Files, 8523-2 MS0899 Technical Library, 13414 (5)
MS0619 Print Media,12615 MS0100 Document Processing, 7613-2 For DOPJOSTI DIST-2
>u...........,... m..,,,c...........,.....
p.
e Org steg 9,m, Rec'd by Org Bldg.
Name Rec'd by i
i l
I 2
)
h Sandia National L